diff options
| author | Archana Polampalli <archana.polampalli@windriver.com> | 2024-01-25 10:04:43 +0000 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2024-02-07 18:41:41 -0500 |
| commit | c5008af2c57a215d3394af1e96b33fc173dd984e (patch) | |
| tree | d7b5820bfb4481a4da2b806f4037bc886603d6e0 | |
| parent | 306837707cdb7dd0809e3c80790468a208307add (diff) | |
| download | meta-openembedded-c5008af2c57a215d3394af1e96b33fc173dd984e.tar.gz | |
samba: fix CVE-2023-0922
The Samba AD DC administration tool, when operating against a remote LDAP server,
will by default send new or reset passwords over a signed-only connection.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-0922
Upstream patches:
https://github.com/samba-team/samba/commit/04e5a7eb03a
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta-networking/recipes-connectivity/samba/samba/CVE-2023-0922.patch | 111 | ||||
| -rw-r--r-- | meta-networking/recipes-connectivity/samba/samba_4.14.14.bb | 1 |
2 files changed, 112 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-0922.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-0922.patch new file mode 100644 index 0000000000..b8cb06bee1 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-0922.patch | |||
| @@ -0,0 +1,111 @@ | |||
| 1 | From 04e5a7eb03a1e913f34d77b7b6c2353b41ef546a Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Rob van der Linde <rob@catalyst.net.nz> | ||
| 3 | Date: Mon, 27 Feb 2023 14:06:23 +1300 | ||
| 4 | Subject: [PATCH] CVE-2023-0922 set default ldap client sasl wrapping to seal | ||
| 5 | |||
| 6 | This avoids sending new or reset passwords in the clear | ||
| 7 | (integrity protected only) from samba-tool in particular. | ||
| 8 | |||
| 9 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315 | ||
| 10 | |||
| 11 | Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> | ||
| 12 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | ||
| 13 | Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> | ||
| 14 | |||
| 15 | CVE: CVE-2023-0922 | ||
| 16 | |||
| 17 | Upstream-Status: Backport [https://github.com/samba-team/samba/commit/04e5a7eb03a] | ||
| 18 | |||
| 19 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
| 20 | --- | ||
| 21 | .../ldap/clientldapsaslwrapping.xml | 27 +++++++++---------- | ||
| 22 | lib/param/loadparm.c | 2 +- | ||
| 23 | python/samba/tests/auth_log.py | 2 +- | ||
| 24 | source3/param/loadparm.c | 2 +- | ||
| 25 | 4 files changed, 16 insertions(+), 17 deletions(-) | ||
| 26 | |||
| 27 | diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | ||
| 28 | index 3152f06..21bd209 100644 | ||
| 29 | --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | ||
| 30 | +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | ||
| 31 | @@ -18,25 +18,24 @@ | ||
| 32 | </para> | ||
| 33 | |||
| 34 | <para> | ||
| 35 | - This option is needed in the case of Domain Controllers enforcing | ||
| 36 | - the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher). | ||
| 37 | - LDAP sign and seal can be controlled with the registry key | ||
| 38 | - "<literal>HKLM\System\CurrentControlSet\Services\</literal> | ||
| 39 | - <literal>NTDS\Parameters\LDAPServerIntegrity</literal>" | ||
| 40 | - on the Windows server side. | ||
| 41 | - </para> | ||
| 42 | + This option is needed firstly to secure the privacy of | ||
| 43 | + administrative connections from <command>samba-tool</command>, | ||
| 44 | + including in particular new or reset passwords for users. For | ||
| 45 | + this reason the default is <emphasis>seal</emphasis>.</para> | ||
| 46 | |||
| 47 | - <para> | ||
| 48 | - Depending on the used KRB5 library (MIT and older Heimdal versions) | ||
| 49 | - it is possible that the message "integrity only" is not supported. | ||
| 50 | - In this case, <emphasis>sign</emphasis> is just an alias for | ||
| 51 | - <emphasis>seal</emphasis>. | ||
| 52 | + <para>Additionally, <command>winbindd</command> and the | ||
| 53 | + <command>net</command> tool can use LDAP to communicate with | ||
| 54 | + Domain Controllers, so this option also controls the level of | ||
| 55 | + privacy for those connections. All supported AD DC versions | ||
| 56 | + will enforce the usage of at least signed LDAP connections by | ||
| 57 | + default, so a value of at least <emphasis>sign</emphasis> is | ||
| 58 | + required in practice. | ||
| 59 | </para> | ||
| 60 | |||
| 61 | <para> | ||
| 62 | - The default value is <emphasis>sign</emphasis>. That implies synchronizing the time | ||
| 63 | + The default value is <emphasis>seal</emphasis>. That implies synchronizing the time | ||
| 64 | with the KDC in the case of using <emphasis>Kerberos</emphasis>. | ||
| 65 | </para> | ||
| 66 | </description> | ||
| 67 | -<value type="default">sign</value> | ||
| 68 | +<value type="default">seal</value> | ||
| 69 | </samba:parameter> | ||
| 70 | diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c | ||
| 71 | index 75687f5..d260691 100644 | ||
| 72 | --- a/lib/param/loadparm.c | ||
| 73 | +++ b/lib/param/loadparm.c | ||
| 74 | @@ -2970,7 +2970,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) | ||
| 75 | |||
| 76 | lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10"); | ||
| 77 | |||
| 78 | - lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign"); | ||
| 79 | + lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "seal"); | ||
| 80 | |||
| 81 | lpcfg_do_global_parameter(lp_ctx, "mdns name", "netbios"); | ||
| 82 | |||
| 83 | diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py | ||
| 84 | index 8ac76fe..d2db380 100644 | ||
| 85 | --- a/python/samba/tests/auth_log.py | ||
| 86 | +++ b/python/samba/tests/auth_log.py | ||
| 87 | @@ -471,7 +471,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): | ||
| 88 | def isLastExpectedMessage(msg): | ||
| 89 | return (msg["type"] == "Authorization" and | ||
| 90 | msg["Authorization"]["serviceDescription"] == "LDAP" and | ||
| 91 | - msg["Authorization"]["transportProtection"] == "SIGN" and | ||
| 92 | + msg["Authorization"]["transportProtection"] == "SEAL" and | ||
| 93 | msg["Authorization"]["authType"] == "krb5") | ||
| 94 | |||
| 95 | self.samdb = SamDB(url="ldap://%s" % os.environ["SERVER"], | ||
| 96 | diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c | ||
| 97 | index a99ab35..c47c5f6 100644 | ||
| 98 | --- a/source3/param/loadparm.c | ||
| 99 | +++ b/source3/param/loadparm.c | ||
| 100 | @@ -754,7 +754,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) | ||
| 101 | Globals.ldap_debug_level = 0; | ||
| 102 | Globals.ldap_debug_threshold = 10; | ||
| 103 | |||
| 104 | - Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; | ||
| 105 | + Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SEAL; | ||
| 106 | |||
| 107 | Globals.ldap_server_require_strong_auth = | ||
| 108 | LDAP_SERVER_REQUIRE_STRONG_AUTH_YES; | ||
| 109 | -- | ||
| 110 | 2.40.0 | ||
| 111 | |||
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb index 6838ac12f2..2fb93be0a9 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb | |||
| @@ -58,6 +58,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ | |||
| 58 | file://CVE-2018-14628-0004.patch \ | 58 | file://CVE-2018-14628-0004.patch \ |
| 59 | file://CVE-2018-14628-0005.patch \ | 59 | file://CVE-2018-14628-0005.patch \ |
| 60 | file://CVE-2018-14628-0006.patch \ | 60 | file://CVE-2018-14628-0006.patch \ |
| 61 | file://CVE-2023-0922.patch \ | ||
| 61 | " | 62 | " |
| 62 | 63 | ||
| 63 | SRC_URI:append:libc-musl = " \ | 64 | SRC_URI:append:libc-musl = " \ |