diff options
author | Stefan Metzmacher <metze@samba.org> | 2015-12-01 15:01:09 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2016-04-12 19:25:22 +0200 |
commit | dc6e28d69a7fcc299c08e4368d8f137e6b59ed3a (patch) | |
tree | 507f112aa5af287e71f4027fbbb7ca50725ec3a1 /auth/ntlmssp | |
parent | 7a6b3efdc6451c3cbb157ad8d808f86d154625dd (diff) | |
download | samba-dc6e28d69a7fcc299c08e4368d8f137e6b59ed3a.tar.gz |
CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
man smb.conf says "client ntlmv2 auth = yes" the default disables,
"client lanman auth = yes":
...
Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2
logins will be attempted.
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Diffstat (limited to 'auth/ntlmssp')
-rw-r--r-- | auth/ntlmssp/ntlmssp_client.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index 8a7d58ff573..839d0595460 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -632,6 +632,8 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) if (ntlmssp_state->use_ntlmv2) { ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; + ntlmssp_state->allow_lm_response = false; + ntlmssp_state->allow_lm_key = false; } if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { |