Discussion:
[OpenAFS] Microsoft Security Hot Fix MS11-043 breaks OpenAFS client
Jeffrey Altman
2011-06-16 17:40:28 UTC
Permalink
Please be aware that this past Tuesday Microsoft pushed out a Security
Fix for the Microsoft SMB Redirector for all versions of Windows back to
XP and Server 2003. This hot fix, MS11-043, patches a critical
vulnerability in the SMB Redirector that can result in Remote Code
Execution. As a result I cannot recommend that this hot fix not be
applied. MS11-043 replaces MS11-019 and MS10-020.

https://www.microsoft.com/technet/security/bulletin/ms11-043.mspx

MS11-043 when applied will break the OpenAFS Client. The SMB protocol
responses issued by the OpenAFS SMB server implementation do not pass
the validation checks now imposed by the Microsoft SMB redirector.

At this time I have no knowledge of what changes were made to the
Microsoft SMB redirector and in what manner the OpenAFS SMB Server
responses are invalid.

The OpenAFS IFS implementation is not quite ready for broad production
use but it may be the only option available to the community at this time.

Further information to follow on a possible rushed release cycle for the
IFS functionality to the general public in its current state.

Jeffrey Altman
Jeffrey Altman
2011-06-17 15:24:41 UTC
Permalink
Based upon feedback received from the community, there are systems on
which MS11-043 is installed on which connectivity between the SMB
Redirector and the OpenAFS SMB Server continues to work successfully.

It is unclear at this point what percentage of systems are adversely
affected and on which platforms. All of the systems that have reported
errors are either XP or Server 2003. I have yet to receive a report
about a Vista, Win7 or Server 2008 system and I have not yet had time to
perform extensive testing across a range of operating system installs.

When an incompatibility due to the installation of MS11-043 occurs the
nbtstat -n output reports that "AFS <20>" is registered on the Microsoft
Loopback adapter and there is a valid connection between the local
machine name and "AFS". However, all attempts to perform a CreateFile()
operation on a file or directory in \\AFS will fail with
ERROR_BAD_NET_RESP "The specified server cannot perform the requested
operation." This error occurs when the input packet received by the SMB
Redirector fails consistency checks.

Additional research is going to need to be performed on affected
systems. The brand and version of anti-malware products may be playing
a role. It is unclear.

At this point, I would recommend testing of MS11-043 in your environment
before performing a large scale rollout.

Jeffrey Altman
Post by Jeffrey Altman
Please be aware that this past Tuesday Microsoft pushed out a Security
Fix for the Microsoft SMB Redirector for all versions of Windows back to
XP and Server 2003. This hot fix, MS11-043, patches a critical
vulnerability in the SMB Redirector that can result in Remote Code
Execution. As a result I cannot recommend that this hot fix not be
applied. MS11-043 replaces MS11-019 and MS10-020.
https://www.microsoft.com/technet/security/bulletin/ms11-043.mspx
MS11-043 when applied will break the OpenAFS Client. The SMB protocol
responses issued by the OpenAFS SMB server implementation do not pass
the validation checks now imposed by the Microsoft SMB redirector.
At this time I have no knowledge of what changes were made to the
Microsoft SMB redirector and in what manner the OpenAFS SMB Server
responses are invalid.
The OpenAFS IFS implementation is not quite ready for broad production
use but it may be the only option available to the community at this time.
Further information to follow on a possible rushed release cycle for the
IFS functionality to the general public in its current state.
Jeffrey Altman
Jeffrey Altman
2011-06-20 17:01:21 UTC
Permalink
I can confirm that one incompatibility with MS11-043 is setting the

HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters
"SMBAuthType" DWORD

value to "0x0". There are other potential incompatibilities. If your
site is setting this value to anything other than "0x2" (SPNEGO
Authentication) please consider changing it.

If you are a site that either does not have this value set or has it set
to "0x2" and are experiencing problems with MS11-043, please open an
issue at openafs-***@openafs.org.

Jeffrey Altman
Post by Jeffrey Altman
Based upon feedback received from the community, there are systems on
which MS11-043 is installed on which connectivity between the SMB
Redirector and the OpenAFS SMB Server continues to work successfully.
It is unclear at this point what percentage of systems are adversely
affected and on which platforms. All of the systems that have reported
errors are either XP or Server 2003. I have yet to receive a report
about a Vista, Win7 or Server 2008 system and I have not yet had time to
perform extensive testing across a range of operating system installs.
When an incompatibility due to the installation of MS11-043 occurs the
nbtstat -n output reports that "AFS <20>" is registered on the Microsoft
Loopback adapter and there is a valid connection between the local
machine name and "AFS". However, all attempts to perform a CreateFile()
operation on a file or directory in \\AFS will fail with
ERROR_BAD_NET_RESP "The specified server cannot perform the requested
operation." This error occurs when the input packet received by the SMB
Redirector fails consistency checks.
Additional research is going to need to be performed on affected
systems. The brand and version of anti-malware products may be playing
a role. It is unclear.
At this point, I would recommend testing of MS11-043 in your environment
before performing a large scale rollout.
Jeffrey Altman
Post by Jeffrey Altman
Please be aware that this past Tuesday Microsoft pushed out a Security
Fix for the Microsoft SMB Redirector for all versions of Windows back to
XP and Server 2003. This hot fix, MS11-043, patches a critical
vulnerability in the SMB Redirector that can result in Remote Code
Execution. As a result I cannot recommend that this hot fix not be
applied. MS11-043 replaces MS11-019 and MS10-020.
https://www.microsoft.com/technet/security/bulletin/ms11-043.mspx
MS11-043 when applied will break the OpenAFS Client. The SMB protocol
responses issued by the OpenAFS SMB server implementation do not pass
the validation checks now imposed by the Microsoft SMB redirector.
At this time I have no knowledge of what changes were made to the
Microsoft SMB redirector and in what manner the OpenAFS SMB Server
responses are invalid.
The OpenAFS IFS implementation is not quite ready for broad production
use but it may be the only option available to the community at this time.
Further information to follow on a possible rushed release cycle for the
IFS functionality to the general public in its current state.
Jeffrey Altman
Mag. Mike B. Kerber
2011-06-17 16:28:35 UTC
Permalink
Message: 2
Date: Thu, 16 Jun 2011 10:40:28 -0700
Organization: Your File System, Inc.
Subject: [OpenAFS] Microsoft Security Hot Fix MS11-043 breaks OpenAFS client
....
At this time I have no knowledge of what changes were made to the
Microsoft SMB redirector and in what manner the OpenAFS SMB Server
responses are invalid.
The OpenAFS IFS implementation is not quite ready for broad production
use but it may be the only option available to the community at this time=
=2E
Further information to follow on a possible rushed release cycle for the
IFS functionality to the general public in its current state.
Jeffrey Altman
Dear

Jeffrey Altman!

Thanks for the warning/update. If it helps we could offer to test the
IFS implementation if it helps getting it more stable.
Are there any pre-release versions of the client available that doe not
require own compilation.

In any case thanks for all the work so far!

all the best

-mike
Douglas E. Engert
2011-06-17 19:48:22 UTC
Permalink
OpenAFS is not alone:
Google Samba kb2536276
show that Samba is having problems with 2536276

Maybe not the same problem, but still a problem.
--
Douglas E. Engert <***@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Jeffrey Altman
2011-06-17 20:00:18 UTC
Permalink
I expect all non Microsoft SMB implementations to have issues

Sent from my iPad
Post by Douglas E. Engert
Google Samba kb2536276
show that Samba is having problems with 2536276
Maybe not the same problem, but still a problem.
--
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
https://lists.openafs.org/mailman/listinfo/openafs-info
Loading...