124 lines
5.7 KiB
Diff
124 lines
5.7 KiB
Diff
From e534a858d15589f27181b82c8ed8abefc56fb95f Mon Sep 17 00:00:00 2001
|
|
From: Andrew Bartlett <abartlet@samba.org>
|
|
Date: Tue, 12 Sep 2023 18:59:44 +1200
|
|
Subject: [PATCH 1/2] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
|
|
default
|
|
|
|
The rpcecho server is useful in development and testing, but should never
|
|
have been allowed into production, as it includes the facility to
|
|
do a blocking sleep() in the single-threaded rpc worker.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
|
|
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
|
|
lib/param/loadparm.c | 2 +-
|
|
selftest/target/Samba4.pm | 2 +-
|
|
source3/param/loadparm.c | 2 +-
|
|
source4/rpc_server/wscript_build | 3 ++-
|
|
5 files changed, 6 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
|
|
index 8a217cc7f11..c6642b795fd 100644
|
|
--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
|
|
+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
|
|
@@ -6,6 +6,6 @@
|
|
<para>Specifies which DCE/RPC endpoint servers should be run.</para>
|
|
</description>
|
|
|
|
-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
|
|
+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
|
|
<value type="example">rpcecho</value>
|
|
</samba:parameter>
|
|
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
|
index 16cb0d47f31..83b05260e09 100644
|
|
--- a/lib/param/loadparm.c
|
|
+++ b/lib/param/loadparm.c
|
|
@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
|
lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
|
|
lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
|
|
|
|
- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
|
|
+ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
|
|
lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
|
|
lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
|
|
/* the winbind method for domain controllers is for both RODC
|
|
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
|
|
index d15156a538b..5687d2a8587 100755
|
|
--- a/selftest/target/Samba4.pm
|
|
+++ b/selftest/target/Samba4.pm
|
|
@@ -783,7 +783,7 @@ sub provision_raw_step1($$)
|
|
wins support = yes
|
|
server role = $ctx->{server_role}
|
|
server services = +echo $services
|
|
- dcerpc endpoint servers = +winreg +srvsvc
|
|
+ dcerpc endpoint servers = +winreg +srvsvc +rpcecho
|
|
notify:inotify = false
|
|
ldb:nosync = true
|
|
ldap server require strong auth = yes
|
|
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
index 12718ced9e7..e33751a27e3 100644
|
|
--- a/source3/param/loadparm.c
|
|
+++ b/source3/param/loadparm.c
|
|
@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
|
|
|
Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
|
|
|
|
- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
|
|
+ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
|
|
|
|
Globals.tls_enabled = true;
|
|
Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
|
|
diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
|
|
index 0e44a3c2bae..31ec4f60c9a 100644
|
|
--- a/source4/rpc_server/wscript_build
|
|
+++ b/source4/rpc_server/wscript_build
|
|
@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
|
|
source='echo/rpc_echo.c',
|
|
subsystem='dcerpc_server',
|
|
init_function='dcerpc_server_rpcecho_init',
|
|
- deps='ndr-standard events'
|
|
+ deps='ndr-standard events',
|
|
+ enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
|
|
)
|
|
|
|
|
|
--
|
|
2.25.1
|
|
|
|
|
|
From 8ce92246a016f3e7f23b6a94ceb666f776e56998 Mon Sep 17 00:00:00 2001
|
|
From: Andrew Bartlett <abartlet@samba.org>
|
|
Date: Tue, 12 Sep 2023 19:01:03 +1200
|
|
Subject: [PATCH 2/2] CVE-2023-42669 s3-rpc_server: Disable rpcecho for
|
|
consistency with the AD DC
|
|
|
|
The rpcecho server in source3 does have samba the sleep() feature that
|
|
the s4 version has, but the task architecture is different, so there
|
|
is not the same impact. Hoever equally this is not something that
|
|
should be enabled on production builds of Samba, so restrict to
|
|
selftest builds.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
|
|
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
source3/rpc_server/wscript_build | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build
|
|
index 341df41a321..5ed81283395 100644
|
|
--- a/source3/rpc_server/wscript_build
|
|
+++ b/source3/rpc_server/wscript_build
|
|
@@ -38,6 +38,7 @@ bld.SAMBA3_BINARY('rpcd_rpcecho',
|
|
RPC_WORKER
|
|
RPC_RPCECHO
|
|
''',
|
|
+ for_selftest=True,
|
|
install_path='${SAMBA_LIBEXECDIR}')
|
|
|
|
bld.SAMBA3_BINARY('rpcd_classic',
|
|
--
|
|
2.25.1
|