From 5aaccb3921712d9dc701d4e48f04d2a4c5274c6f Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 3 Aug 2023 10:35:16 +0300 Subject: [PATCH] - Fix CVE-2023-3347 - netlogon: add support for netr_LogonGetCapabilities response level 2 --- ...-support-for-netr_LogonGetCapabiliti.patch | 38 +++++ ...et-rpc.schannel-also-check-netr_Logo.patch | 128 ++++++++++++++++ ...tlogon-generate-FAULT_INVALID_TAG-fo.patch | 89 ++++++++++++ ...tlogon-generate-FAULT_INVALID_TAG-fo.patch | 93 ++++++++++++ ...-add-a-test-for-server-side-mandator.patch | 137 ++++++++++++++++++ ...bd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch | 131 +++++++++++++++++ ...bd-inline-smb2_srv_init_signing-code.patch | 73 ++++++++++ ...bd-remove-comment-in-smbd_smb2_reque.patch | 36 +++++ ...47-smbd-fix-server-signing-mandatory.patch | 63 ++++++++ SPECS/samba.spec | 22 ++- 10 files changed, 808 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch create mode 100644 SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch create mode 100644 SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch create mode 100644 SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch create mode 100644 SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch create mode 100644 SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch create mode 100644 SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch create mode 100644 SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch create mode 100644 SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch diff --git a/SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch b/SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch new file mode 100644 index 0000000..adf158b --- /dev/null +++ b/SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch @@ -0,0 +1,38 @@ +From 5f87888ed53320538cf773d64868390d8641a40e Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sat, 15 Jul 2023 17:20:32 +0200 +Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities + response level 2 + +We don't have any documentation about this yet, but tests against +a Windows Server 2022 patched with KB5028166 revealed that +the response for query_level=2 is exactly the same as +for querey_level=1. + +Until we know the reason for query_level=2 we won't +use it as client nor support it in the server, but +we want ndrdump to work. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +--- + librpc/idl/netlogon.idl | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl +index 48a8c8f9310..85dd73ee7e4 100644 +--- a/librpc/idl/netlogon.idl ++++ b/librpc/idl/netlogon.idl +@@ -1236,6 +1236,7 @@ interface netlogon + /* Function 0x15 */ + typedef [switch_type(uint32)] union { + [case(1)] netr_NegotiateFlags server_capabilities; ++ [case(2)] netr_NegotiateFlags server_capabilities; + } netr_Capabilities; + + NTSTATUS netr_LogonGetCapabilities( +-- +2.39.3 + diff --git a/SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch b/SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch new file mode 100644 index 0000000..608a91d --- /dev/null +++ b/SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch @@ -0,0 +1,128 @@ +From 404ce08e9088968311c714e756f5d58ce2cef715 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sat, 15 Jul 2023 17:25:05 +0200 +Subject: [PATCH 2/4] s4:torture/rpc: let rpc.schannel also check + netr_LogonGetCapabilities with different levels + +The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG +for unsupported query_levels, we allow it to work with servers +with or without support for query_level=2. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +--- + .../knownfail.d/netr_LogonGetCapabilities | 3 + + source4/torture/rpc/netlogon.c | 77 ++++++++++++++++++- + 2 files changed, 79 insertions(+), 1 deletion(-) + create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities + +diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities +new file mode 100644 +index 00000000000..30aadf3bb9d +--- /dev/null ++++ b/selftest/knownfail.d/netr_LogonGetCapabilities +@@ -0,0 +1,3 @@ ++^samba3.rpc.schannel.*\.schannel\(nt4_dc ++^samba3.rpc.schannel.*\.schannel\(ad_dc ++^samba4.rpc.schannel.*\.schannel\(ad_dc +diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c +index 1f068eb7826..a3d190f13dd 100644 +--- a/source4/torture/rpc/netlogon.c ++++ b/source4/torture/rpc/netlogon.c +@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t + r.out.capabilities = &capabilities; + r.out.return_authenticator = &return_auth; + +- torture_comment(tctx, "Testing LogonGetCapabilities\n"); ++ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n"); + ++ r.in.query_level = 0; ++ ZERO_STRUCT(return_auth); ++ ++ /* ++ * we need to operate on a temporary copy of creds ++ * because dcerpc_netr_LogonGetCapabilities with ++ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG ++ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE ++ * without looking a the authenticator. ++ */ ++ tmp_creds = *creds; ++ netlogon_creds_client_authenticator(&tmp_creds, &auth); ++ ++ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r); ++ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE, ++ "LogonGetCapabilities query_level=0 failed"); ++ ++ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n"); ++ ++ r.in.query_level = 3; ++ ZERO_STRUCT(return_auth); ++ ++ /* ++ * we need to operate on a temporary copy of creds ++ * because dcerpc_netr_LogonGetCapabilities with ++ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG ++ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE ++ * without looking a the authenticator. ++ */ ++ tmp_creds = *creds; ++ netlogon_creds_client_authenticator(&tmp_creds, &auth); ++ ++ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r); ++ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE, ++ "LogonGetCapabilities query_level=0 failed"); ++ ++ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n"); ++ ++ r.in.query_level = 1; + ZERO_STRUCT(return_auth); + + /* +@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t + + *creds = tmp_creds; + ++ torture_assert(tctx, netlogon_creds_client_check(creds, ++ &r.out.return_authenticator->cred), ++ "Credential chaining failed"); ++ ++ torture_assert_int_equal(tctx, creds->negotiate_flags, ++ capabilities.server_capabilities, ++ "negotiate flags"); ++ ++ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n"); ++ ++ r.in.query_level = 2; ++ ZERO_STRUCT(return_auth); ++ ++ /* ++ * we need to operate on a temporary copy of creds ++ * because dcerpc_netr_LogonGetCapabilities with ++ * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG ++ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE ++ * without looking a the authenticator. ++ */ ++ tmp_creds = *creds; ++ netlogon_creds_client_authenticator(&tmp_creds, &auth); ++ ++ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r); ++ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) { ++ /* ++ * an server without KB5028166 returns ++ * DCERPC_NCA_S_FAULT_INVALID_TAG => ++ * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE ++ */ ++ return true; ++ } ++ torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed"); ++ ++ *creds = tmp_creds; ++ + torture_assert(tctx, netlogon_creds_client_check(creds, + &r.out.return_authenticator->cred), + "Credential chaining failed"); +-- +2.39.3 + diff --git a/SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch b/SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch new file mode 100644 index 0000000..febbea8 --- /dev/null +++ b/SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch @@ -0,0 +1,89 @@ +From d5f1097b6220676d56ed5fc6707acf667b704518 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sat, 15 Jul 2023 16:11:48 +0200 +Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for + invalid netr_LogonGetCapabilities levels + +This is important as Windows clients with KB5028166 seem to +call netr_LogonGetCapabilities with query_level=2 after +a call with query_level=1. + +An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG +for query_level values other than 1. +While Samba tries to return NT_STATUS_NOT_SUPPORTED, but +later fails to marshall the response, which results +in DCERPC_FAULT_BAD_STUB_DATA instead. + +Because we don't have any documentation for level 2 yet, +we just try to behave like an unpatched server and +generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of +DCERPC_FAULT_BAD_STUB_DATA. +Which allows patched Windows clients to keep working +against a Samba DC. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +--- + .../knownfail.d/netr_LogonGetCapabilities | 2 -- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++--- + 2 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities +index 30aadf3bb9d..99c7ac711ed 100644 +--- a/selftest/knownfail.d/netr_LogonGetCapabilities ++++ b/selftest/knownfail.d/netr_LogonGetCapabilities +@@ -1,3 +1 @@ + ^samba3.rpc.schannel.*\.schannel\(nt4_dc +-^samba3.rpc.schannel.*\.schannel\(ad_dc +-^samba4.rpc.schannel.*\.schannel\(ad_dc +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 6ccba65d3bf..dc2167f08b2 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -2364,6 +2364,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c + struct netlogon_creds_CredentialState *creds; + NTSTATUS status; + ++ switch (r->in.query_level) { ++ case 1: ++ break; ++ case 2: ++ /* ++ * Until we know the details behind KB5028166 ++ * just return DCERPC_NCA_S_FAULT_INVALID_TAG ++ * like an unpatched Windows Server. ++ */ ++ FALL_THROUGH; ++ default: ++ /* ++ * There would not be a way to marshall the ++ * the response. Which would mean our final ++ * ndr_push would fail an we would return ++ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA. ++ * ++ * But it's important to match a Windows server ++ * especially before KB5028166, see also our bug #15418 ++ * Otherwise Windows client would stop talking to us. ++ */ ++ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG); ++ } ++ + status = dcesrv_netr_creds_server_step_check(dce_call, + mem_ctx, + r->in.computer_name, +@@ -2375,10 +2399,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c + } + NT_STATUS_NOT_OK_RETURN(status); + +- if (r->in.query_level != 1) { +- return NT_STATUS_NOT_SUPPORTED; +- } +- + r->out.capabilities->server_capabilities = creds->negotiate_flags; + + return NT_STATUS_OK; +-- +2.39.3 + diff --git a/SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch b/SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch new file mode 100644 index 0000000..bdd2669 --- /dev/null +++ b/SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch @@ -0,0 +1,93 @@ +From dfeabce44fbb78083fbbb2aa634fc4172cf83db9 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sat, 15 Jul 2023 16:11:48 +0200 +Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for + invalid netr_LogonGetCapabilities levels + +This is important as Windows clients with KB5028166 seem to +call netr_LogonGetCapabilities with query_level=2 after +a call with query_level=1. + +An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG +for query_level values other than 1. +While Samba tries to return NT_STATUS_NOT_SUPPORTED, but +later fails to marshall the response, which results +in DCERPC_FAULT_BAD_STUB_DATA instead. + +Because we don't have any documentation for level 2 yet, +we just try to behave like an unpatched server and +generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of +DCERPC_FAULT_BAD_STUB_DATA. +Which allows patched Windows clients to keep working +against a Samba DC. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224 +--- + .../knownfail.d/netr_LogonGetCapabilities | 1 - + source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++++++++++--- + 2 files changed, 25 insertions(+), 5 deletions(-) + delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities + +diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities +deleted file mode 100644 +index 99c7ac711ed..00000000000 +--- a/selftest/knownfail.d/netr_LogonGetCapabilities ++++ /dev/null +@@ -1 +0,0 @@ +-^samba3.rpc.schannel.*\.schannel\(nt4_dc +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 3ba58e61206..e8aa14167fc 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, + struct netlogon_creds_CredentialState *creds; + NTSTATUS status; + ++ switch (r->in.query_level) { ++ case 1: ++ break; ++ case 2: ++ /* ++ * Until we know the details behind KB5028166 ++ * just return DCERPC_NCA_S_FAULT_INVALID_TAG ++ * like an unpatched Windows Server. ++ */ ++ FALL_THROUGH; ++ default: ++ /* ++ * There would not be a way to marshall the ++ * the response. Which would mean our final ++ * ndr_push would fail an we would return ++ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA. ++ * ++ * But it's important to match a Windows server ++ * especially before KB5028166, see also our bug #15418 ++ * Otherwise Windows client would stop talking to us. ++ */ ++ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG; ++ return NT_STATUS_NOT_SUPPORTED; ++ } ++ + become_root(); + status = dcesrv_netr_creds_server_step_check(p->dce_call, + p->mem_ctx, +@@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, + return status; + } + +- if (r->in.query_level != 1) { +- return NT_STATUS_NOT_SUPPORTED; +- } +- + r->out.capabilities->server_capabilities = creds->negotiate_flags; + + return NT_STATUS_OK; +-- +2.39.3 + diff --git a/SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch b/SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch new file mode 100644 index 0000000..92d7698 --- /dev/null +++ b/SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch @@ -0,0 +1,137 @@ +From a9a2b182df738fd283f820e162d189d20010ad63 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 20 Jun 2023 12:46:31 +0200 +Subject: [PATCH 1/5] CVE-2023-3347: CI: add a test for server-side mandatory + signing + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 + +Signed-off-by: Ralph Boehme +--- + .../samba3.smb2.session-require-signing | 1 + + selftest/target/Samba3.pm | 1 + + source3/selftest/tests.py | 2 + + source4/torture/smb2/session.c | 64 +++++++++++++++++++ + source4/torture/smb2/smb2.c | 1 + + 5 files changed, 69 insertions(+) + create mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing + +diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing +new file mode 100644 +index 00000000000..53b7a7022a8 +--- /dev/null ++++ b/selftest/knownfail.d/samba3.smb2.session-require-signing +@@ -0,0 +1 @@ ++^samba3.smb2.session-require-signing.bug15397 +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index d9e17473615..b4c3c130e9a 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1294,6 +1294,7 @@ sub setup_ad_member_idmap_rid + # values required for tests to succeed + create krb5 conf = no + map to guest = bad user ++ server signing = required + "; + + my $ret = $self->provision( +diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py +index b069630605a..d2b5409d0a9 100755 +--- a/source3/selftest/tests.py ++++ b/source3/selftest/tests.py +@@ -1097,6 +1097,8 @@ for t in tests: + # Certain tests fail when run against ad_member with MIT kerberos because the private krb5.conf overrides the provisioned lib/krb5.conf, + # ad_member_idmap_rid sets "create krb5.conf = no" + plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5') ++ elif t == "smb2.session-require-signing": ++ plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER_IP/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD') + elif t == "rpc.lsa": + plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ') + plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ') +diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c +index 51df51542d4..823304f190f 100644 +--- a/source4/torture/smb2/session.c ++++ b/source4/torture/smb2/session.c +@@ -5498,3 +5498,67 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx) + + return suite; + } ++ ++static bool test_session_require_sign_bug15397(struct torture_context *tctx, ++ struct smb2_tree *_tree) ++{ ++ const char *host = torture_setting_string(tctx, "host", NULL); ++ const char *share = torture_setting_string(tctx, "share", NULL); ++ struct cli_credentials *_creds = samba_cmdline_get_creds(); ++ struct cli_credentials *creds = NULL; ++ struct smbcli_options options; ++ struct smb2_tree *tree = NULL; ++ uint8_t security_mode; ++ NTSTATUS status; ++ bool ok = true; ++ ++ /* ++ * Setup our own connection so we can control the signing flags ++ */ ++ ++ creds = cli_credentials_shallow_copy(tctx, _creds); ++ torture_assert(tctx, creds != NULL, "cli_credentials_shallow_copy"); ++ ++ options = _tree->session->transport->options; ++ options.client_guid = GUID_random(); ++ options.signing = SMB_SIGNING_IF_REQUIRED; ++ ++ status = smb2_connect(tctx, ++ host, ++ lpcfg_smb_ports(tctx->lp_ctx), ++ share, ++ lpcfg_resolve_context(tctx->lp_ctx), ++ creds, ++ &tree, ++ tctx->ev, ++ &options, ++ lpcfg_socket_options(tctx->lp_ctx), ++ lpcfg_gensec_settings(tctx, tctx->lp_ctx)); ++ torture_assert_ntstatus_ok_goto(tctx, status, ok, done, ++ "smb2_connect failed"); ++ ++ security_mode = smb2cli_session_security_mode(tree->session->smbXcli); ++ ++ torture_assert_int_equal_goto( ++ tctx, ++ security_mode, ++ SMB2_NEGOTIATE_SIGNING_REQUIRED | SMB2_NEGOTIATE_SIGNING_ENABLED, ++ ok, ++ done, ++ "Signing not required"); ++ ++done: ++ return ok; ++} ++ ++struct torture_suite *torture_smb2_session_req_sign_init(TALLOC_CTX *ctx) ++{ ++ struct torture_suite *suite = ++ torture_suite_create(ctx, "session-require-signing"); ++ ++ torture_suite_add_1smb2_test(suite, "bug15397", ++ test_session_require_sign_bug15397); ++ ++ suite->description = talloc_strdup(suite, "SMB2-SESSION require signing tests"); ++ return suite; ++} +diff --git a/source4/torture/smb2/smb2.c b/source4/torture/smb2/smb2.c +index c595b108ce8..5b6477e47bc 100644 +--- a/source4/torture/smb2/smb2.c ++++ b/source4/torture/smb2/smb2.c +@@ -189,6 +189,7 @@ NTSTATUS torture_smb2_init(TALLOC_CTX *ctx) + torture_suite_add_suite(suite, torture_smb2_sharemode_init(suite)); + torture_suite_add_1smb2_test(suite, "hold-oplock", test_smb2_hold_oplock); + torture_suite_add_suite(suite, torture_smb2_session_init(suite)); ++ torture_suite_add_suite(suite, torture_smb2_session_req_sign_init(suite)); + torture_suite_add_suite(suite, torture_smb2_replay_init(suite)); + torture_suite_add_simple_test(suite, "dosmode", torture_smb2_dosmode); + torture_suite_add_simple_test(suite, "async_dosmode", torture_smb2_async_dosmode); +-- +2.39.3 + diff --git a/SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch b/SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch new file mode 100644 index 0000000..fe3e3cf --- /dev/null +++ b/SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch @@ -0,0 +1,131 @@ +From 1662eeeb7a6fc1b955fc0f7f52c7546ba3ac442a Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Wed, 21 Jun 2023 15:06:12 +0200 +Subject: [PATCH 2/5] CVE-2023-3347: smbd: pass lp_ctx to + smb[1|2]_srv_init_signing() + +No change in behaviour. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 + +Signed-off-by: Ralph Boehme +--- + source3/smbd/proto.h | 3 ++- + source3/smbd/smb1_signing.c | 10 ++-------- + source3/smbd/smb1_signing.h | 3 ++- + source3/smbd/smb2_signing.c | 25 +++++++++++++++---------- + 4 files changed, 21 insertions(+), 20 deletions(-) + +diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h +index a39f0a2edfa..3884617e77b 100644 +--- a/source3/smbd/proto.h ++++ b/source3/smbd/proto.h +@@ -52,7 +52,8 @@ struct dcesrv_context; + + /* The following definitions come from smbd/smb2_signing.c */ + +-bool smb2_srv_init_signing(struct smbXsrv_connection *conn); ++bool smb2_srv_init_signing(struct loadparm_context *lp_ctx, ++ struct smbXsrv_connection *conn); + bool srv_init_signing(struct smbXsrv_connection *conn); + + /* The following definitions come from smbd/aio.c */ +diff --git a/source3/smbd/smb1_signing.c b/source3/smbd/smb1_signing.c +index 6bcb0629c4f..aa3027d5318 100644 +--- a/source3/smbd/smb1_signing.c ++++ b/source3/smbd/smb1_signing.c +@@ -170,18 +170,13 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void *ptr) + Called by server negprot when signing has been negotiated. + ************************************************************/ + +-bool smb1_srv_init_signing(struct smbXsrv_connection *conn) ++bool smb1_srv_init_signing(struct loadparm_context *lp_ctx, ++ struct smbXsrv_connection *conn) + { + bool allowed = true; + bool desired; + bool mandatory = false; + +- struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers()); +- if (lp_ctx == NULL) { +- DEBUG(10, ("loadparm_init_s3 failed\n")); +- return false; +- } +- + /* + * if the client and server allow signing, + * we desire to use it. +@@ -195,7 +190,6 @@ bool smb1_srv_init_signing(struct smbXsrv_connection *conn) + */ + + desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory); +- talloc_unlink(conn, lp_ctx); + + if (lp_async_smb_echo_handler()) { + struct smbd_shm_signing *s; +diff --git a/source3/smbd/smb1_signing.h b/source3/smbd/smb1_signing.h +index 56c59c5bbc2..26f60420dfa 100644 +--- a/source3/smbd/smb1_signing.h ++++ b/source3/smbd/smb1_signing.h +@@ -33,4 +33,5 @@ bool smb1_srv_is_signing_negotiated(struct smbXsrv_connection *conn); + void smb1_srv_set_signing(struct smbXsrv_connection *conn, + const DATA_BLOB user_session_key, + const DATA_BLOB response); +-bool smb1_srv_init_signing(struct smbXsrv_connection *conn); ++bool smb1_srv_init_signing(struct loadparm_context *lp_ctx, ++ struct smbXsrv_connection *conn); +diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c +index 4691ef4d613..c1f876f9cd7 100644 +--- a/source3/smbd/smb2_signing.c ++++ b/source3/smbd/smb2_signing.c +@@ -26,32 +26,37 @@ + #include "lib/param/param.h" + #include "smb2_signing.h" + +-bool smb2_srv_init_signing(struct smbXsrv_connection *conn) ++bool smb2_srv_init_signing(struct loadparm_context *lp_ctx, ++ struct smbXsrv_connection *conn) + { +- struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers()); +- if (lp_ctx == NULL) { +- DBG_DEBUG("loadparm_init_s3 failed\n"); +- return false; +- } +- + /* + * For SMB2 all we need to know is if signing is mandatory. + * It is always allowed and desired, whatever the smb.conf says. + */ + (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory); +- talloc_unlink(conn, lp_ctx); + return true; + } + + bool srv_init_signing(struct smbXsrv_connection *conn) + { ++ struct loadparm_context *lp_ctx = NULL; ++ bool ok; ++ ++ lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers()); ++ if (lp_ctx == NULL) { ++ DBG_DEBUG("loadparm_init_s3 failed\n"); ++ return false; ++ } ++ + #if defined(WITH_SMB1SERVER) + if (conn->protocol >= PROTOCOL_SMB2_02) { + #endif +- return smb2_srv_init_signing(conn); ++ ok = smb2_srv_init_signing(lp_ctx, conn); + #if defined(WITH_SMB1SERVER) + } else { +- return smb1_srv_init_signing(conn); ++ ok = smb1_srv_init_signing(lp_ctx, conn); + } + #endif ++ talloc_unlink(conn, lp_ctx); ++ return ok; + } +-- +2.39.3 + diff --git a/SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch b/SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch new file mode 100644 index 0000000..f0822aa --- /dev/null +++ b/SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch @@ -0,0 +1,73 @@ +From 59131d6c345864dcf1ed3331c52ce35ddc5db2dc Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Wed, 21 Jun 2023 15:10:58 +0200 +Subject: [PATCH 3/5] CVE-2023-3347: smbd: inline smb2_srv_init_signing() code + in srv_init_signing() + +It's now a one-line function, imho the overall code is simpler if that code is +just inlined. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 + +Signed-off-by: Ralph Boehme +--- + source3/smbd/proto.h | 2 -- + source3/smbd/smb2_signing.c | 19 ++++++------------- + 2 files changed, 6 insertions(+), 15 deletions(-) + +diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h +index 3884617e77b..78e1b48be09 100644 +--- a/source3/smbd/proto.h ++++ b/source3/smbd/proto.h +@@ -52,8 +52,6 @@ struct dcesrv_context; + + /* The following definitions come from smbd/smb2_signing.c */ + +-bool smb2_srv_init_signing(struct loadparm_context *lp_ctx, +- struct smbXsrv_connection *conn); + bool srv_init_signing(struct smbXsrv_connection *conn); + + /* The following definitions come from smbd/aio.c */ +diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c +index c1f876f9cd7..ef4a54d5710 100644 +--- a/source3/smbd/smb2_signing.c ++++ b/source3/smbd/smb2_signing.c +@@ -26,21 +26,10 @@ + #include "lib/param/param.h" + #include "smb2_signing.h" + +-bool smb2_srv_init_signing(struct loadparm_context *lp_ctx, +- struct smbXsrv_connection *conn) +-{ +- /* +- * For SMB2 all we need to know is if signing is mandatory. +- * It is always allowed and desired, whatever the smb.conf says. +- */ +- (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory); +- return true; +-} +- + bool srv_init_signing(struct smbXsrv_connection *conn) + { + struct loadparm_context *lp_ctx = NULL; +- bool ok; ++ bool ok = true; + + lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers()); + if (lp_ctx == NULL) { +@@ -51,7 +40,11 @@ bool srv_init_signing(struct smbXsrv_connection *conn) + #if defined(WITH_SMB1SERVER) + if (conn->protocol >= PROTOCOL_SMB2_02) { + #endif +- ok = smb2_srv_init_signing(lp_ctx, conn); ++ /* ++ * For SMB2 all we need to know is if signing is mandatory. ++ * It is always allowed and desired, whatever the smb.conf says. ++ */ ++ (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory); + #if defined(WITH_SMB1SERVER) + } else { + ok = smb1_srv_init_signing(lp_ctx, conn); +-- +2.39.3 + diff --git a/SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch b/SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch new file mode 100644 index 0000000..539c940 --- /dev/null +++ b/SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch @@ -0,0 +1,36 @@ +From 5a222ac37183ba5dd717d81c7e57f78e59695a67 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 20 Jun 2023 18:13:23 +0200 +Subject: [PATCH 4/5] CVE-2023-3347: smbd: remove comment in + smbd_smb2_request_process_negprot() + +This is just going to bitrot. Anyone who's interested can just grep for +"signing_mandatory" and look up what it does. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 + +Signed-off-by: Ralph Boehme +--- + source3/smbd/smb2_negprot.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c +index 9d4ce160e5c..885769be24d 100644 +--- a/source3/smbd/smb2_negprot.c ++++ b/source3/smbd/smb2_negprot.c +@@ -368,12 +368,6 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) + } + + security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED; +- /* +- * We use xconn->smb2.signing_mandatory set up via +- * srv_init_signing() -> smb2_srv_init_signing(). +- * This calls lpcfg_server_signing_allowed() to get the correct +- * defaults, e.g. signing_required for an ad_dc. +- */ + if (xconn->smb2.signing_mandatory) { + security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; + } +-- +2.39.3 + diff --git a/SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch b/SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch new file mode 100644 index 0000000..d85c2a0 --- /dev/null +++ b/SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch @@ -0,0 +1,63 @@ +From 9bab902fc50f88869b253c4089d83b3e33a1075a Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 20 Jun 2023 15:33:02 +0200 +Subject: [PATCH 5/5] CVE-2023-3347: smbd: fix "server signing = mandatory" + +This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when +calling srv_init_signing() very early after accepting the connection in +smbd_add_connection(), conn->protocol is still PROTOCOL_NONE. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 + +Signed-off-by: Ralph Boehme + +Autobuild-User(master): Jule Anger +Autobuild-Date(master): Fri Jul 21 13:03:09 UTC 2023 on atb-devel-224 +--- + .../samba3.smb2.session-require-signing | 1 - + source3/smbd/smb2_signing.c | 19 ++++++++----------- + 2 files changed, 8 insertions(+), 12 deletions(-) + delete mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing + +diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing +deleted file mode 100644 +index 53b7a7022a8..00000000000 +--- a/selftest/knownfail.d/samba3.smb2.session-require-signing ++++ /dev/null +@@ -1 +0,0 @@ +-^samba3.smb2.session-require-signing.bug15397 +diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c +index ef4a54d5710..73d07380dfa 100644 +--- a/source3/smbd/smb2_signing.c ++++ b/source3/smbd/smb2_signing.c +@@ -37,19 +37,16 @@ bool srv_init_signing(struct smbXsrv_connection *conn) + return false; + } + ++ /* ++ * For SMB2 all we need to know is if signing is mandatory. ++ * It is always allowed and desired, whatever the smb.conf says. ++ */ ++ (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory); ++ + #if defined(WITH_SMB1SERVER) +- if (conn->protocol >= PROTOCOL_SMB2_02) { +-#endif +- /* +- * For SMB2 all we need to know is if signing is mandatory. +- * It is always allowed and desired, whatever the smb.conf says. +- */ +- (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory); +-#if defined(WITH_SMB1SERVER) +- } else { +- ok = smb1_srv_init_signing(lp_ctx, conn); +- } ++ ok = smb1_srv_init_signing(lp_ctx, conn); + #endif ++ + talloc_unlink(conn, lp_ctx); + return ok; + } +-- +2.39.3 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index dc69bc8..d4d2299 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -135,7 +135,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") %global samba_version 4.17.5 -%global baserelease 102 +%global baserelease 103 # This should be rc1 or %%nil %global pre_release %nil @@ -199,7 +199,7 @@ Name: samba Version: %{samba_version} -Release: %{samba_release}%{?dist} +Release: %{samba_release}%{?dist}.alma %if 0%{?fedora} Epoch: 2 @@ -231,6 +231,20 @@ Source17: samba-usershares-systemd-sysusers.conf Source201: README.downgrade Source202: samba.abignore +# Patches were taken from upstream and backported +# https://github.com/samba-team/samba/commit/dfeabce44fbb78083fbbb2aa634fc4172cf83db9 +Patch0001: 0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch +Patch0002: 0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch +Patch0003: 0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch +Patch0004: 0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch + +# https://github.com/samba-team/samba/commit/9bab902fc50f88869b253c4089d83b3e33a1075a +Patch0005: 0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch +Patch0006: 0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch +Patch0007: 0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch +Patch0008: 0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch +Patch0009: 0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch + Requires(pre): /usr/sbin/groupadd Requires(pre): %{name}-common = %{samba_depver} @@ -4297,6 +4311,10 @@ fi %endif %changelog +* Thu Aug 03 2023 Eduard Abdullin - 4.17.5-103.alma +- Fix CVE-2023-3347 +- netlogon: add support for netr_LogonGetCapabilities response level 2 + * Wed Feb 15 2023 Pavel Filipenský - 4.17.5-102 - resolves: rhbz#2169980 - Fix winbind memory leak - resolves: rhbz#2156056 - Fix Samba shares not accessible issue