[OpenAFS] Microsoft Security Hot Fix MS11-043 breaks OpenAFS client

Jeffrey Altman jaltman@your-file-system.com
Fri, 17 Jun 2011 08:24:41 -0700


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig64CB410B9CCD7DD2162E2F83
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Based upon feedback received from the community, there are systems on
which MS11-043 is installed on which connectivity between the SMB
Redirector and the OpenAFS SMB Server continues to work successfully.

It is unclear at this point what percentage of systems are adversely
affected and on which platforms.  All of the systems that have reported
errors are either XP or Server 2003.  I have yet to receive a report
about a Vista, Win7 or Server 2008 system and I have not yet had time to
perform extensive testing across a range of operating system installs.

When an incompatibility due to the installation of MS11-043 occurs the
nbtstat -n output reports that "AFS <20>" is registered on the Microsoft
Loopback adapter and there is a valid connection between the local
machine name and "AFS".  However, all attempts to perform a CreateFile()
operation on a file or directory in \\AFS will fail with
ERROR_BAD_NET_RESP "The specified server cannot perform the requested
operation."  This error occurs when the input packet received by the SMB
Redirector fails consistency checks.

Additional research is going to need to be performed on affected
systems.  The brand and version of anti-malware products may be playing
a role.  It is unclear.

At this point, I would recommend testing of MS11-043 in your environment
before performing a large scale rollout.

Jeffrey Altman

On 6/16/2011 10:40 AM, Jeffrey Altman wrote:
> Please be aware that this past Tuesday Microsoft pushed out a Security
> Fix for the Microsoft SMB Redirector for all versions of Windows back t=
o
> XP and Server 2003.  This hot fix, MS11-043, patches a critical
> vulnerability in the SMB Redirector that can result in Remote Code
> Execution.  As a result I cannot recommend that this hot fix not be
> applied.  MS11-043 replaces MS11-019 and MS10-020.
>=20
> https://www.microsoft.com/technet/security/bulletin/ms11-043.mspx
>=20
> MS11-043 when applied will break the OpenAFS Client.  The SMB protocol
> responses issued by the OpenAFS SMB server implementation do not pass
> the validation checks now imposed by the Microsoft SMB redirector.
>=20
> At this time I have no knowledge of what changes were made to the
> Microsoft SMB redirector and in what manner the OpenAFS SMB Server
> responses are invalid.
>=20
> The OpenAFS IFS implementation is not quite ready for broad production
> use but it may be the only option available to the community at this ti=
me.
>=20
> Further information to follow on a possible rushed release cycle for th=
e
> IFS functionality to the general public in its current state.
>=20
> Jeffrey Altman
>=20


--------------enig64CB410B9CCD7DD2162E2F83
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJN+3G7AAoJENxm1CNJffh45CIH/0QK8V8Zo0p6Fh+MaSW5y/RB
9OiP4BZFWrF2iv6MfDPilFfKnAjfphe7etvmWg0ZddyCZGXlF1Hu4rRrnQvIcJ+V
nRvXcfb7fxiD1qfzCbUHaUhKnbKwp0GIEPz5alDIuT9VZugKgLGf3jkRyb26D0IQ
obKCYa/JVkfCYMOQFSKJE6uR4NO5+/OEL2HSOLojReJlfKnSqXy81kpARTMfZNYm
90n1oEU/VyGywMOBO675hc0NuOT6cBHJdrI4KfRq7+l17z27Qs+3jq2Qze8m3I+H
qsH7AuVhtqT//j7lovWnUTvQHf9Yoy0aDFD5tErxsgCFVmjwInTvvzneCOoYCCU=
=wR7k
-----END PGP SIGNATURE-----

--------------enig64CB410B9CCD7DD2162E2F83--