diff options
| author | Stefan Metzmacher <metze@samba.org> | 2022-12-06 13:36:17 +0100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2022-12-13 13:07:29 +0000 |
| commit | 4d540473c3d43d048a30dd63efaeae9ff87b2aeb (patch) | |
| tree | 5f1abe3c3957674a0fad6dbc2e741bc1ea93b0fe | |
| parent | f964c0c357214637f80d0089723b9b11d1b38f7e (diff) | |
| download | samba-4d540473c3d43d048a30dd63efaeae9ff87b2aeb.tar.gz | |
CVE-2022-38023 testparm: warn about unsecure schannel related options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
| -rw-r--r-- | source3/utils/testparm.c | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c index 7e913a8ac4d..121c2b7a522 100644 --- a/source3/utils/testparm.c +++ b/source3/utils/testparm.c @@ -608,6 +608,37 @@ static int do_global_checks(void) "'server require schannel:COMPUTERACCOUNT$ = no' " "options\n\n"); } + if (lp_allow_nt4_crypto()) { + fprintf(stderr, + "WARNING: You have not configured " + "'allow nt4 crypto = no' (the default). " + "Your server is vulernable to " + "CVE-2022-38023 and others!\n" + "If required use individual " + "'allow nt4 crypto:COMPUTERACCOUNT$ = yes' " + "options\n\n"); + } + if (!lp_reject_md5_clients()) { + fprintf(stderr, + "WARNING: You have not configured " + "'reject md5 clients = yes' (the default). " + "Your server is vulernable to " + "CVE-2022-38023!\n" + "If required use individual " + "'server reject md5 schannel:COMPUTERACCOUNT$ = yes' " + "options\n\n"); + } + if (!lp_server_schannel_require_seal()) { + fprintf(stderr, + "WARNING: You have not configured " + "'server schannel require seal = yes' (the default). " + "Your server is vulernable to " + "CVE-2022-38023!\n" + "If required use individual " + "'server schannel require seal:COMPUTERACCOUNT$ = no' " + "options\n\n"); + } + if (lp_client_schannel() != true) { /* can be 'auto' */ fprintf(stderr, "WARNING: You have not configured " @@ -618,6 +649,36 @@ static int do_global_checks(void) "'client schannel:NETBIOSDOMAIN = no' " "options\n\n"); } + if (!lp_reject_md5_servers()) { + fprintf(stderr, + "WARNING: You have not configured " + "'reject md5 servers = yes' (the default). " + "Your server is vulernable to " + "CVE-2022-38023\n" + "If required use individual " + "'reject md5 servers:NETBIOSDOMAIN = no' " + "options\n\n"); + } + if (!lp_require_strong_key()) { + fprintf(stderr, + "WARNING: You have not configured " + "'require strong key = yes' (the default). " + "Your server is vulernable to " + "CVE-2022-38023\n" + "If required use individual " + "'require strong key:NETBIOSDOMAIN = no' " + "options\n\n"); + } + if (!lp_winbind_sealed_pipes()) { + fprintf(stderr, + "WARNING: You have not configured " + "'winbind sealed pipes = yes' (the default). " + "Your server is vulernable to " + "CVE-2022-38023\n" + "If required use individual " + "'winbind sealed pipes:NETBIOSDOMAIN = no' " + "options\n\n"); + } return ret; } |