samba.git
3 years agoCVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_pr...
Stefan Metzmacher [Sat, 27 Jun 2015 08:31:48 +0000 (10:31 +0200)]
CVE-2015-5370: s4:librpc/rpc: avoid dereferencing sec->auth_info in dcerpc_request_prepare_vt()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RES...
Stefan Metzmacher [Sat, 27 Jun 2015 08:31:48 +0000 (10:31 +0200)]
CVE-2015-5370: s4:librpc/rpc: always use ncacn_pull_request_auth() for DCERPC_PKT_RESPONSE pdus

It handles the case of DCERPC_AUTH_TYPE_NONE just fine and it makes it
possible to do some verification in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_r...
Stefan Metzmacher [Sat, 27 Jun 2015 08:31:48 +0000 (10:31 +0200)]
CVE-2015-5370: s4:librpc/rpc: avoid using c->security_state.auth_info in ncacn_pull_request_auth()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in...
Stefan Metzmacher [Sat, 27 Jun 2015 08:31:48 +0000 (10:31 +0200)]
CVE-2015-5370: s4:librpc/rpc: avoid using hs->p->conn->security_state.auth_info in dcerpc_bh_auth_info()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()
Stefan Metzmacher [Sat, 27 Jun 2015 08:31:48 +0000 (10:31 +0200)]
CVE-2015-5370: s4:librpc/rpc: use a local auth_info variable in ncacn_push_request_sign()

We should avoid using the global dcecli_security->auth_info struct for
individual requests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1
Stefan Metzmacher [Sat, 27 Jun 2015 08:31:48 +0000 (10:31 +0200)]
CVE-2015-5370: s4:librpc/rpc: use auth_context_id = 1

In future we want to verify that the auth_context_id from the server
is what we expect.

As Samba (<= 4.2.3) use a hardcoded value of 1 in responses, we
need to use that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}
Stefan Metzmacher [Sat, 27 Jun 2015 08:31:48 +0000 (10:31 +0200)]
CVE-2015-5370: s4:librpc/rpc: maintain dcecli_security->auth_{type,level,context_id}

This will simplify the following commits and avoids dereferencing
dcecli_security->auth_info.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed
Stefan Metzmacher [Wed, 8 Jul 2015 14:25:48 +0000 (16:25 +0200)]
CVE-2015-5370: s4:librpc/rpc: send a dcerpc_sec_verification_trailer if needed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length...
Stefan Metzmacher [Mon, 29 Jun 2015 08:24:45 +0000 (10:24 +0200)]
CVE-2015-5370: s3:librpc/rpc: don't call dcerpc_pull_auth_trailer() if auth_length is 0

All other paranoia checks are done within dcerpc_pull_auth_trailer()
now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()
Stefan Metzmacher [Sat, 27 Jun 2015 23:19:57 +0000 (01:19 +0200)]
CVE-2015-5370: librpc/rpc: simplify and harden dcerpc_pull_auth_trailer()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines
Stefan Metzmacher [Thu, 16 Jul 2015 20:46:05 +0000 (22:46 +0200)]
CVE-2015-5370: dcerpc.idl: add DCERPC_{NCACN_PAYLOAD,FRAG}_MAX_SIZE defines

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
Stefan Metzmacher [Sun, 28 Feb 2016 21:48:11 +0000 (22:48 +0100)]
CVE-2016-2118: s3:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...

This requires transport encryption.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...
Stefan Metzmacher [Sun, 28 Feb 2016 21:48:11 +0000 (22:48 +0100)]
CVE-2016-2118: s4:rpc_server/samr: allow _samr_ValidatePassword only with PRIVACY...

This requires transport encryption.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"
Stefan Metzmacher [Thu, 10 Mar 2016 16:03:59 +0000 (17:03 +0100)]
CVE-2016-2118: docs-xml: default "allow dcerpc auth level connect" to "no"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by...
Stefan Metzmacher [Sat, 26 Mar 2016 07:47:42 +0000 (08:47 +0100)]
CVE-2016-2118: s3:rpc_server/{epmapper,echo}: allow DCERPC_AUTH_LEVEL_CONNECT by default

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT...
Stefan Metzmacher [Fri, 7 Aug 2015 07:50:30 +0000 (09:50 +0200)]
CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default

This prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Pair-Programmed-With: Günther Deschner <gd@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"
Stefan Metzmacher [Fri, 18 Mar 2016 03:40:30 +0000 (04:40 +0100)]
CVE-2016-2118: s3:rpc_server: make use of "allow dcerpc auth level connect"

With this option turned off we only allow DCERPC_AUTH_LEVEL_{NONE,INTEGRITY,PRIVACY},
this means the reject any request with AUTH_LEVEL_CONNECT with ACCESS_DENIED.

We sadly need to keep this enabled by default for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Pair-Programmed-With: Günther Deschner <gd@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default
Stefan Metzmacher [Sat, 26 Mar 2016 18:19:04 +0000 (19:19 +0100)]
CVE-2016-2118: s4:rpc_server/rpcecho: allow DCERPC_AUTH_LEVEL_CONNECT by default

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default
Stefan Metzmacher [Sat, 26 Mar 2016 18:18:42 +0000 (19:18 +0100)]
CVE-2016-2118: s4:rpc_server/mgmt: allow DCERPC_AUTH_LEVEL_CONNECT by default

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default
Stefan Metzmacher [Sat, 26 Mar 2016 18:17:40 +0000 (19:17 +0100)]
CVE-2016-2118: s4:rpc_server/epmapper: allow DCERPC_AUTH_LEVEL_CONNECT by default

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default
Stefan Metzmacher [Fri, 7 Aug 2015 11:52:48 +0000 (13:52 +0200)]
CVE-2016-2118: s4:rpc_server/netlogon: reject DCERPC_AUTH_LEVEL_CONNECT by default

This prevents man in the middle downgrade attacks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
3 years agoCVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
Stefan Metzmacher [Fri, 7 Aug 2015 07:50:30 +0000 (09:50 +0200)]
CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default

This prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default
Stefan Metzmacher [Fri, 7 Aug 2015 07:50:30 +0000 (09:50 +0200)]
CVE-2016-2118: s4:rpc_server/lsa: reject DCERPC_AUTH_LEVEL_CONNECT by default

This prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"
Stefan Metzmacher [Thu, 10 Mar 2016 01:46:59 +0000 (02:46 +0100)]
CVE-2016-2118: s4:rpc_server: make use of "allow dcerpc auth level connect"

With this option turned off we only allow DCERPC_AUTH_LEVEL_{NONE,INTEGRITY,PRIVACY},
this means the reject any request with AUTH_LEVEL_CONNECT with ACCESS_DENIED.

We sadly need to keep this enabled by default for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"
Stefan Metzmacher [Thu, 10 Mar 2016 16:03:59 +0000 (17:03 +0100)]
CVE-2016-2118: docs-xml: add "allow dcerpc auth level connect" defaulting to "yes"

We sadly need to allow this for now by default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2118: s4:librpc: use integrity by default for authenticated binds
Stefan Metzmacher [Fri, 11 Mar 2016 15:02:25 +0000 (16:02 +0100)]
CVE-2016-2118: s4:librpc: use integrity by default for authenticated binds

ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
3 years agoCVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT...
Stefan Metzmacher [Tue, 15 Dec 2015 13:49:36 +0000 (14:49 +0100)]
CVE-2016-2118: librpc: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY

ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
3 years agoCVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CO...
Stefan Metzmacher [Tue, 15 Dec 2015 13:49:36 +0000 (14:49 +0100)]
CVE-2016-2118: s3: rpcclient: change the default auth level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY

ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
3 years agoCVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY
Stefan Metzmacher [Thu, 10 Mar 2016 03:06:04 +0000 (04:06 +0100)]
CVE-2016-2118: s4:rpc_server/dnsserver: require at least DCERPC_AUTH_LEVEL_INTEGRITY

This matches windows and prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests
Stefan Metzmacher [Mon, 14 Mar 2016 21:15:00 +0000 (22:15 +0100)]
CVE-2016-2118: python:tests/dcerpc: use [sign] for dnsserver tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY
Stefan Metzmacher [Tue, 14 Jul 2015 07:13:00 +0000 (09:13 +0200)]
CVE-2016-2118: s4:rpc_server/backupkey: require DCERPC_AUTH_LEVEL_PRIVACY

This is required for the whole interface (which has just one opnum for now).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
Stefan Metzmacher [Tue, 14 Jul 2015 07:13:00 +0000 (09:13 +0200)]
CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY

This matches windows and prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presen...
Stefan Metzmacher [Tue, 14 Jul 2015 07:12:18 +0000 (09:12 +0200)]
CVE-2016-2118: s4:rpc_server: make it possible to define a min_auth_level on a presentation context

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"
Stefan Metzmacher [Tue, 15 Mar 2016 22:52:30 +0000 (23:52 +0100)]
CVE-2016-2115: docs-xml: always default "client ipc signing" to "mandatory"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max...
Ralph Boehme [Wed, 16 Dec 2015 09:04:35 +0000 (10:04 +0100)]
CVE-2016-2115: s3:libsmb: use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol()

Use SMB_SIGNING_IPC_DEFAULT and lp_client_ipc_{min,max}_protocol() for RPC connections.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 years agoCVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT
Ralph Boehme [Wed, 16 Dec 2015 09:03:52 +0000 (10:03 +0100)]
CVE-2016-2115: s3:libnet: use SMB_SIGNING_IPC_DEFAULT

Use SMB_SIGNING_IPC_DEFAULT for RPC connections.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 years agoCVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT
Ralph Boehme [Wed, 16 Dec 2015 09:03:13 +0000 (10:03 +0100)]
CVE-2016-2115: s3:auth_domain: use SMB_SIGNING_IPC_DEFAULT

Use SMB_SIGNING_IPC_DEFAULT for RPC connections.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 years agoCVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT
Ralph Boehme [Wed, 16 Dec 2015 09:01:59 +0000 (10:01 +0100)]
CVE-2016-2115: s3:lib/netapi: use SMB_SIGNING_IPC_DEFAULT

Use SMB_SIGNING_IPC_DEFAULT for RPC connections.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 years agoCVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT
Ralph Boehme [Wed, 16 Dec 2015 09:00:09 +0000 (10:00 +0100)]
CVE-2016-2115: net: use SMB_SIGNING_IPC_DEFAULT

Use SMB_SIGNING_IPC_DEFAULT for RPC connections.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 years agoCVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"
Stefan Metzmacher [Fri, 18 Dec 2015 16:16:04 +0000 (17:16 +0100)]
CVE-2016-2115: s3:libsmb: let SMB_SIGNING_IPC_DEFAULT use "client ipc min/max protocol"

We need NT1 => LATEST in order to work against all servers which support
DCERPC over ncacn_np.

This is a mini step in using SMB2/3 in our client side by default.

This gives us a higher chance that SMB signing is supported by the
server (as it can't be turned off for SMB2 and higher).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
3 years agoCVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT
Ralph Boehme [Wed, 16 Dec 2015 08:55:37 +0000 (09:55 +0100)]
CVE-2016-2115: s3:libsmb: add signing constant SMB_SIGNING_IPC_DEFAULT

SMB_SIGNING_IPC_DEFAULT must be used from s3 client code when opening
RPC connections.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
3 years agoCVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()
Stefan Metzmacher [Mon, 21 Dec 2015 12:22:16 +0000 (13:22 +0100)]
CVE-2016-2115: s3:winbindd: use lp_client_ipc_signing()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
3 years agoCVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
Stefan Metzmacher [Sat, 27 Feb 2016 03:23:58 +0000 (04:23 +0100)]
CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
3 years agoCVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np
Stefan Metzmacher [Fri, 28 Mar 2014 12:44:29 +0000 (13:44 +0100)]
CVE-2016-2115: s4:librpc/rpc: make use of "client ipc *" options for ncacn_np

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
3 years agoCVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()
Stefan Metzmacher [Sat, 27 Feb 2016 03:15:38 +0000 (04:15 +0100)]
CVE-2016-2115: s4:libcli/raw: pass the minprotocol to smb_raw_negotiate*()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
3 years agoCVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()
Stefan Metzmacher [Sat, 27 Feb 2016 03:15:38 +0000 (04:15 +0100)]
CVE-2016-2115: s4:libcli/raw: limit maxprotocol to NT1 in smb_raw_negotiate*()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
3 years agoCVE-2016-2115: s4:libcli/smb2: use the configured min_protocol
Stefan Metzmacher [Sat, 27 Feb 2016 03:14:39 +0000 (04:14 +0100)]
CVE-2016-2115: s4:libcli/smb2: use the configured min_protocol

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
3 years agoCVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol
Stefan Metzmacher [Sat, 27 Feb 2016 03:13:11 +0000 (04:13 +0100)]
CVE-2016-2115: s4:libcli/raw: add smbcli_options.min_protocol

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
3 years agoCVE-2016-2115: docs-xml: add "client ipc signing" option
Stefan Metzmacher [Sat, 27 Feb 2016 02:43:58 +0000 (03:43 +0100)]
CVE-2016-2115: docs-xml: add "client ipc signing" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
3 years agoCVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol...
Stefan Metzmacher [Sat, 27 Feb 2016 02:45:43 +0000 (03:45 +0100)]
CVE-2016-2115: docs-xml: add "client ipc min protocol" and "client ipc max protocol" options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
3 years agoCVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality
Stefan Metzmacher [Wed, 15 Jul 2015 08:57:03 +0000 (10:57 +0200)]
CVE-2016-2114: docs-xml: let the "smb signing" documentation reflect the reality

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2114: s3:smbd: enforce "server signing = mandatory"
Ralph Boehme [Tue, 22 Mar 2016 15:30:42 +0000 (16:30 +0100)]
CVE-2016-2114: s3:smbd: enforce "server signing = mandatory"

This fixes a regression that was introduced by commit
abb24bf8e874d525382e994af7ae432212775153
("s3:smbd: make use of better SMB signing negotiation").

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing
Ralph Boehme [Tue, 22 Mar 2016 15:25:32 +0000 (16:25 +0100)]
CVE-2016-2114: libcli/smb: let mandatory signing imply allowed signing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
Stefan Metzmacher [Wed, 15 Jul 2015 08:57:03 +0000 (10:57 +0200)]
CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"

This means an ad_dc will now require signing by default.
This matches the default behavior of Windows dc and avoids
man in the middle attacks.

The main logic for this hides in lpcfg_server_signing_allowed().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2114: s4:smb2_server: fix session setup with required signing
Stefan Metzmacher [Thu, 16 Jul 2015 02:45:16 +0000 (04:45 +0200)]
CVE-2016-2114: s4:smb2_server: fix session setup with required signing

The client can't sign the session setup request...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11687

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"
Stefan Metzmacher [Wed, 16 Mar 2016 12:03:08 +0000 (13:03 +0100)]
CVE-2016-2113: docs-xml: let "tls verify peer" default to "as_strict_as_possible"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2113: selftest: use "tls verify peer = no_check"
Stefan Metzmacher [Sat, 26 Mar 2016 07:38:46 +0000 (08:38 +0100)]
CVE-2016-2113: selftest: use "tls verify peer = no_check"

Individual tests will check the more secure values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
Stefan Metzmacher [Wed, 16 Mar 2016 14:07:36 +0000 (15:07 +0100)]
CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
Stefan Metzmacher [Wed, 23 Dec 2015 15:17:04 +0000 (16:17 +0100)]
CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured
Stefan Metzmacher [Wed, 23 Dec 2015 15:17:04 +0000 (16:17 +0100)]
CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for...
Stefan Metzmacher [Mon, 21 Mar 2016 02:56:22 +0000 (03:56 +0100)]
CVE-2016-2113: s4:selftest: explicitly use '--option="tlsverifypeer=no_check" for some ldaps tests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
Stefan Metzmacher [Wed, 23 Dec 2015 21:12:56 +0000 (22:12 +0100)]
CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification
Stefan Metzmacher [Wed, 23 Dec 2015 15:17:04 +0000 (16:17 +0100)]
CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verification

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with...
Stefan Metzmacher [Wed, 23 Dec 2015 14:39:48 +0000 (15:39 +0100)]
CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert

The generated ca cert (in ca.pem) was completely useless,
it could be replaced by cert.pem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: docs-xml: change the default of "ldap server require strong auth"...
Stefan Metzmacher [Fri, 25 Mar 2016 18:24:20 +0000 (19:24 +0100)]
CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and...
Stefan Metzmacher [Mon, 21 Dec 2015 09:04:48 +0000 (10:04 +0100)]
CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc

We want to test against all "ldap server require strong auth" combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2112: selftest: servers with explicit "ldap server require strong auth"...
Stefan Metzmacher [Mon, 21 Dec 2015 09:27:33 +0000 (10:27 +0100)]
CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options

The default is "ldap server require strong auth = yes",
ad_dc_ntvfs uses "ldap server require strong auth = allow_sasl_over_tls",
fl2008r2dc uses "ldap server require strong auth = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
Stefan Metzmacher [Sat, 26 Mar 2016 17:07:02 +0000 (18:07 +0100)]
CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc

This uses "ldap server require strong auth = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
Stefan Metzmacher [Fri, 28 Aug 2015 10:19:37 +0000 (12:19 +0200)]
CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: docs-xml: add "ldap server require strong auth" option
Stefan Metzmacher [Mon, 21 Dec 2015 11:03:56 +0000 (12:03 +0100)]
CVE-2016-2112: docs-xml: add "ldap server require strong auth" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
Stefan Metzmacher [Fri, 18 Dec 2015 11:45:56 +0000 (12:45 +0100)]
CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain conne...
Stefan Metzmacher [Fri, 18 Dec 2015 10:56:29 +0000 (11:56 +0100)]
CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
Stefan Metzmacher [Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)]
CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
Stefan Metzmacher [Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)]
CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
Stefan Metzmacher [Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)]
CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: s3:libads: make sure we detect downgrade attacks
Stefan Metzmacher [Thu, 24 Mar 2016 14:50:49 +0000 (15:50 +0100)]
CVE-2016-2112: s3:libads: make sure we detect downgrade attacks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Pair-programmed-with: Ralph Boehme <slow@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
3 years agoCVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
Stefan Metzmacher [Tue, 15 Mar 2016 20:59:42 +0000 (21:59 +0100)]
CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
Stefan Metzmacher [Sat, 26 Mar 2016 21:08:38 +0000 (22:08 +0100)]
CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
Stefan Metzmacher [Tue, 1 Mar 2016 09:25:54 +0000 (10:25 +0100)]
CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
Stefan Metzmacher [Tue, 1 Mar 2016 09:25:54 +0000 (10:25 +0100)]
CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
Stefan Metzmacher [Tue, 15 Mar 2016 20:02:34 +0000 (21:02 +0100)]
CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego...
Stefan Metzmacher [Sun, 27 Mar 2016 00:09:05 +0000 (01:09 +0100)]
CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]
CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]
CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]
CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanma...
Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]
CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
Stefan Metzmacher [Sat, 26 Mar 2016 21:24:23 +0000 (22:24 +0100)]
CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
Stefan Metzmacher [Sat, 26 Mar 2016 21:24:23 +0000 (22:24 +0100)]
CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
Stefan Metzmacher [Wed, 9 Dec 2015 12:12:43 +0000 (13:12 +0100)]
CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA

This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
Stefan Metzmacher [Wed, 9 Dec 2015 12:12:43 +0000 (13:12 +0100)]
CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA

This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
Stefan Metzmacher [Tue, 23 Feb 2016 18:08:31 +0000 (19:08 +0100)]
CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function

This is the function that prevents spoofing like
Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
Stefan Metzmacher [Sat, 12 Dec 2015 21:23:18 +0000 (22:23 +0100)]
CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test

The computer name of the NTLMv2 blob needs to match
the schannel connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
Stefan Metzmacher [Sat, 12 Dec 2015 21:23:18 +0000 (22:23 +0100)]
CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test

The computer name of the NTLMv2 blob needs to match
the schannel connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validati...
Stefan Metzmacher [Fri, 7 Aug 2015 11:33:17 +0000 (13:33 +0200)]
CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validati...
Stefan Metzmacher [Fri, 7 Aug 2015 11:33:17 +0000 (13:33 +0200)]
CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
Günther Deschner [Fri, 25 Sep 2015 23:29:10 +0000 (01:29 +0200)]
CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()

The ensures we apply the "server schannel = yes" restrictions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
3 years agoCVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
Stefan Metzmacher [Wed, 9 Mar 2016 14:31:23 +0000 (15:31 +0100)]
CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_h...
Stefan Metzmacher [Tue, 15 Dec 2015 14:10:20 +0000 (15:10 +0100)]
CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()

This depends on the DCERPC auth level.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel...
Stefan Metzmacher [Tue, 15 Dec 2015 14:11:32 +0000 (15:11 +0100)]
CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()

It doesn't make any sense to allow other auth levels.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation...
Stefan Metzmacher [Thu, 19 Nov 2015 15:26:49 +0000 (16:26 +0100)]
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)

We now detect a MsvAvTimestamp in target info as indication
of the server to support NTLMSSP_MIC in the AUTH_MESSAGE.

If the client uses NTLMv2 we provide
NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE and valid MIC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>