From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 27 Feb 2016 03:43:58 +0100 Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++ docs-xml/smbdotconf/security/clientsigning.xml | 3 +++ source3/include/proto.h | 1 + source3/param/loadparm.c | 12 ++++++++++++ 4 files changed, 39 insertions(+) create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml new file mode 100644 index 0000000..1897fc6 --- /dev/null +++ b/docs-xml/smbdotconf/security/clientipcsigning.xml @@ -0,0 +1,23 @@ + + + This controls whether the client is allowed or required to use SMB signing for IPC$ + connections as DCERPC transport inside of winbind. Possible values + are auto, mandatory + and disabled. + + + When set to auto, SMB signing is offered, but not enforced and if set + to disabled, SMB signing is not offered either. + + Connections from winbindd to Active Directory Domain Controllers + always enforce signing. + + +client signing + +mandatory + diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml index c657e05..189a7ae 100644 --- a/docs-xml/smbdotconf/security/clientsigning.xml +++ b/docs-xml/smbdotconf/security/clientsigning.xml @@ -12,6 +12,9 @@ When set to auto, SMB signing is offered, but not enforced. When set to mandatory, SMB signing is required and if set to disabled, SMB signing is not offered either. + + IPC$ connections for DCERPC e.g. in winbindd, are handled by the + option. diff --git a/source3/include/proto.h b/source3/include/proto.h index 43008ea..af950aa 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1693,6 +1693,7 @@ const char **lp_winbind_nss_info(void); int lp_algorithmic_rid_base(void); int lp_name_cache_timeout(void); int lp_client_signing(void); +int lp_client_ipc_signing(void); int lp_server_signing(void); int lp_client_ldap_sasl_wrapping(void); char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index c5249b7..a612e5a3 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -366,6 +366,7 @@ struct global { int restrict_anonymous; int name_cache_timeout; int client_signing; + int client_ipc_signing; int server_signing; int client_ldap_sasl_wrapping; int iUsershareMaxShares; @@ -2319,6 +2320,15 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED, }, { + .label = "client ipc signing", + .type = P_ENUM, + .p_class = P_GLOBAL, + .ptr = &Globals.client_ipc_signing, + .special = NULL, + .enum_list = enum_smb_signing_vals, + .flags = FLAG_ADVANCED, + }, + { .label = "server signing", .type = P_ENUM, .p_class = P_GLOBAL, @@ -5470,6 +5480,7 @@ static void init_globals(bool reinit_globals) Globals.bClientUseSpnego = True; Globals.client_signing = Auto; + Globals.client_ipc_signing = Required; Globals.server_signing = False; Globals.bDeferSharingViolations = True; @@ -6071,6 +6082,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Globals.szWinbindNssInfo) FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase) FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout) FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing) +FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing) FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing) FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping) -- 2.8.1 From 633fcce5f7f488738ef8f45393aa8990e01118f4 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 5 Apr 2016 10:46:53 +0200 Subject: [PATCH 2/4] CVE-2016-2115: s3: Use lp_client_ipc_signing() if we are not an smb client BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756 Pair-Programmed-With: Ralph Boehme Signed-off-by: Andreas Schneider Signed-off-by: Ralph Boehme --- source3/param/loadparm.c | 14 ++++++++++++++ source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index a612e5a3..c58f860 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -9712,6 +9712,20 @@ static bool lp_load_ex(const char *pszFname, lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1"); } + if (!lp_is_in_client()) { + switch (lp_client_ipc_signing()) { + case Required: + lp_set_cmdline("client signing", "mandatory"); + break; + case Auto: + lp_set_cmdline("client signing", "auto"); + break; + case False: + lp_set_cmdline("client signing", "disabled"); + break; + } + } + init_iconv(); bAllowIncludeRegistry = true; diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c index 181a7b5..a0fcf27 100644 --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c @@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe, "", /* username */ "", /* domain */ "", /* password */ - 0, lp_client_signing()); + 0, False); if ( !NT_STATUS_IS_OK( ret ) ) { DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n", -- 2.8.1 From e319838866bdd3f5f1602b441516d07a1171ab24 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 31 Mar 2016 11:30:03 +0200 Subject: [PATCH 3/4] CVE-2016-2115: s3/param: pick up s4 option "winbind sealed pipes" This will be used in the next commit to prevent mitm attacks on on lsa, samr and netlogon in winbindd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 15 +++++++++++++++ source3/include/proto.h | 1 + source3/param/loadparm.c | 12 ++++++++++++ 3 files changed, 28 insertions(+) create mode 100644 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml new file mode 100644 index 0000000..016ac9b --- /dev/null +++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml @@ -0,0 +1,15 @@ + + + This option controls whether any requests from winbindd to domain controllers + pipe will be sealed. Disabling sealing can be useful for debugging + purposes. + + The behavior can be controlled per netbios domain + by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option. + + +yes + diff --git a/source3/include/proto.h b/source3/include/proto.h index af950aa..ac1540f 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1690,6 +1690,7 @@ int lp_winbind_cache_time(void); int lp_winbind_reconnect_delay(void); int lp_winbind_max_clients(void); const char **lp_winbind_nss_info(void); +bool lp_winbind_sealed_pipes(void); int lp_algorithmic_rid_base(void); int lp_name_cache_timeout(void); int lp_client_signing(void); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index c58f860..fdc9407 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -215,6 +215,7 @@ struct global { int winbind_expand_groups; bool bWinbindRefreshTickets; bool bWinbindOfflineLogon; + bool bWinbindSealedPipes; bool bWinbindNormalizeNames; bool bWinbindRpcOnly; bool bCreateKrb5Conf; @@ -4775,6 +4776,15 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED, }, { + .label = "winbind sealed pipes", + .type = P_BOOL, + .p_class = P_GLOBAL, + .ptr = &Globals.bWinbindSealedPipes, + .special = NULL, + .enum_list = NULL, + .flags = FLAG_ADVANCED, + }, + { .label = "winbind normalize names", .type = P_BOOL, .p_class = P_GLOBAL, @@ -5468,6 +5478,7 @@ static void init_globals(bool reinit_globals) Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL); Globals.bWinbindRefreshTickets = False; Globals.bWinbindOfflineLogon = False; + Globals.bWinbindSealedPipes = True; Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */ Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */ @@ -5747,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups, &Globals.bWinbindNestedGroups) FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups) FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets) FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon) +FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes) FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames) FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly) FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf) -- 2.8.1 From b47d8644e6a826f01dae3911fc510a7b2ff60273 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 5 Sep 2014 17:00:31 +1200 Subject: [PATCH 4/4] CVE-2016-2115: winbindd: Do not make anonymous connections by default The requirement is that we have "winbind sealed pipes = false" and "require strong key = false" before we make anonymous connections. These are a security risk as we cannot prevent MITM attacks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher (backported from commit e2cd3257141bd4a88cda1fff5bde9df60b253a97) --- source3/winbindd/winbindd_cm.c | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 8271279..50a341e 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, TALLOC_FREE(conn->samr_pipe); anonymous: + if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { + status = NT_STATUS_DOWNGRADE_DETECTED; + DEBUG(1, ("Unwilling to make SAMR connection to domain %s " + "without connection level security, " + "must set 'winbind sealed pipes = false' " + "to proceed: %s\n", + domain->name, nt_errstr(status))); + goto done; + } /* Finally fall back to anonymous. */ status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id, @@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, anonymous: + if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { + result = NT_STATUS_DOWNGRADE_DETECTED; + DEBUG(1, ("Unwilling to make LSA connection to domain %s " + "without connection level security, " + "must set 'winbind sealed pipes = false' " + "to proceed: %s\n", + domain->name, nt_errstr(result))); + goto done; + } + result = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_lsarpc.syntax_id, &conn->lsa_pipe); @@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, no_schannel: if ((lp_client_schannel() == False) || - ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) { + ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) { + if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { + result = NT_STATUS_DOWNGRADE_DETECTED; + DEBUG(1, ("Unwilling to make connection to domain %s " + "without connection level security, " + "must set 'winbind sealed pipes = false' " + "to proceed: %s\n", + domain->name, nt_errstr(result))); + TALLOC_FREE(netlogon_pipe); + invalidate_cm_connection(conn); + return result; + } /* * NetSamLogonEx only works for schannel */ -- 2.8.1