[OpenAFS] Microsoft Security Hot Fix MS11-043 breaks OpenAFS client

Jeffrey Altman jaltman@your-file-system.com
Mon, 20 Jun 2011 13:01:21 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigED2D6409B1A00D439B54D581
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I can confirm that one incompatibility with MS11-043 is setting the

  HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters
   "SMBAuthType" DWORD

value to "0x0".  There are other potential incompatibilities.  If your
site is setting this value to anything other than "0x2" (SPNEGO
Authentication) please consider changing it.

If you are a site that either does not have this value set or has it set
to "0x2" and are experiencing problems with MS11-043, please open an
issue at openafs-bugs@openafs.org.

Jeffrey Altman

On 6/17/2011 11:24 AM, Jeffrey Altman wrote:
> Based upon feedback received from the community, there are systems on
> which MS11-043 is installed on which connectivity between the SMB
> Redirector and the OpenAFS SMB Server continues to work successfully.
>=20
> It is unclear at this point what percentage of systems are adversely
> affected and on which platforms.  All of the systems that have reported=

> errors are either XP or Server 2003.  I have yet to receive a report
> about a Vista, Win7 or Server 2008 system and I have not yet had time t=
o
> perform extensive testing across a range of operating system installs.
>=20
> When an incompatibility due to the installation of MS11-043 occurs the
> nbtstat -n output reports that "AFS <20>" is registered on the Microsof=
t
> Loopback adapter and there is a valid connection between the local
> machine name and "AFS".  However, all attempts to perform a CreateFile(=
)
> operation on a file or directory in \\AFS will fail with
> ERROR_BAD_NET_RESP "The specified server cannot perform the requested
> operation."  This error occurs when the input packet received by the SM=
B
> Redirector fails consistency checks.
>=20
> Additional research is going to need to be performed on affected
> systems.  The brand and version of anti-malware products may be playing=

> a role.  It is unclear.
>=20
> At this point, I would recommend testing of MS11-043 in your environmen=
t
> before performing a large scale rollout.
>=20
> Jeffrey Altman
>=20
> On 6/16/2011 10:40 AM, Jeffrey Altman wrote:
>> Please be aware that this past Tuesday Microsoft pushed out a Security=

>> Fix for the Microsoft SMB Redirector for all versions of Windows back =
to
>> XP and Server 2003.  This hot fix, MS11-043, patches a critical
>> vulnerability in the SMB Redirector that can result in Remote Code
>> Execution.  As a result I cannot recommend that this hot fix not be
>> applied.  MS11-043 replaces MS11-019 and MS10-020.
>>
>> https://www.microsoft.com/technet/security/bulletin/ms11-043.mspx
>>
>> MS11-043 when applied will break the OpenAFS Client.  The SMB protocol=

>> responses issued by the OpenAFS SMB server implementation do not pass
>> the validation checks now imposed by the Microsoft SMB redirector.
>>
>> At this time I have no knowledge of what changes were made to the
>> Microsoft SMB redirector and in what manner the OpenAFS SMB Server
>> responses are invalid.
>>
>> The OpenAFS IFS implementation is not quite ready for broad production=

>> use but it may be the only option available to the community at this t=
ime.
>>
>> Further information to follow on a possible rushed release cycle for t=
he
>> IFS functionality to the general public in its current state.
>>
>> Jeffrey Altman
>>
>=20


--------------enigED2D6409B1A00D439B54D581
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJN/3zjAAoJENxm1CNJffh46wIIANcUoEeRB50Y1BCMYtB3f+PC
cf8aH1X/3WQsJth/BrDS+3N7AhrHeboOJf/pR8NTlNtP6NlkxTq4B5afw0ZWhx3C
iRYYKFMD3djaUsoK6jsFu0/79rRiAPIItkEpKAJO7mCsDJ/5fmMUL/yKDJn9fGQM
zsYgRaT6kHbSkV8wh06xgzJWEet+mwiPZF3cQwLOWdC8FDyvtXOVTLAn3DpIj/7j
+EG3sDmX2dJiQcbsWcex7dVZA4uZwH6ap7/4MDvsz42zwHRbJLunUxfe5ktmwmib
RfSyQkKQCHAf5D60hUeCHaceAmRZ+pynLDkpzZuaVjoDFn1Kh3oe1NAh7oDG1Ow=
=d31a
-----END PGP SIGNATURE-----

--------------enigED2D6409B1A00D439B54D581--