[cifs-protocol] [REG:115012312316449] Re: Protocol changes in KB2992611 [115012312316449]

Edgar Olougouna edgaro at microsoft.com
Thu Feb 19 15:25:15 MST 2015 

Andrew,
After tracking down the corresponding code fix applied in MS14-066 / KB2992611, we observe that this security update simply addresses a Schannel code vulnerability, and does not appear to introduce any protocol change.
It does trigger a local error when it detects the specific anomaly, i.e. during certificate signature verification check, but as such the same error was already returned in many other checks. If this occurs on a client, then the calling application will obviously bail out.
Regarding your observation: “It looks like it has gone from a soft to a hard error in the client code, essentially.”
We are concerned about what you meant by soft vs hard error. Can you elaborate in more details?
The Schannel / SSPI error code in question:
SEC_E_ILLEGAL_MESSAGE 
0x80090326
The message received was unexpected or badly formatted.

Regards,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Friday, February 13, 2015 11:22 AM
To: 'Andrew Bartlett'
Cc: MSSolve Case Email; cifs-protocol at samba.org; Obaid Farooqi
Subject: RE: [REG:115012312316449] Re: [cifs-protocol] Protocol changes in KB2992611 [115012312316449]

Andrew,

Just an FYI, I will consider the information you sent to Obaid in my investigation.

He is currently out of office but forwarded me the following message. Your comment appears to intersect with the other case you open regarding ClientWrap and its use case.

== Begin forwarded message ==

From: Andrew Bartlett <abartlet at samba.org>
Date: February 13, 2015 at 10:15:50 AM GMT+5
To: Obaid Farooqi <obaidf at microsoft.com>
Cc: MSSolve Case Email <casemail at microsoft.com>, "cifs-protocol at samba.org" <cifs-protocol at samba.org>
Subject: Re: [cifs-protocol] Protocol changes in KB2992611 [115012312316449] On Fri, 2015-02-06 at 23:23 +1300, Andrew Bartlett wrote:

On Wed, 2015-02-04 at 16:08 +0000, Obaid Farooqi wrote:
Hi Andrew:
I have a fully patched system, Windows 8.1 enterprise. I verified that the updates include kb2992611. I joined the machine to Samba domain before patching though. 

Please do it the other way around.  That would match our steps.  It certainly appears to be an issue in new profiles, after the patches. 

It may be enough to create a new user after patching, but you suggest below that this doesn't help.

Have you had any luck doing this where you join the newly built, patched, machine to Samba, where it has never seen the same domain before, after doing the patches?

From our side, we have just finished writing the ServerWrap server-side, and this 'fixes' this issue, but I strong suspect it just works around it - that the client prefers to do CleintWrap, and this is a fallback.  

As such, I still need to know what changed, and what we are doing wrong in our ClientWrap server, both in master and after the patch in bug
11097 is applied. 

Thanks,

Andrew Bartlett

== End forwarded message ==

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, February 10, 2015 5:27 PM
To: Edgar Olougouna
Cc: MSSolve Case Email; cifs-protocol at samba.org; Obaid Farooqi
Subject: Re: [REG:115012312316449] Re: [cifs-protocol] Protocol changes in KB2992611 [115012312316449]

On Tue, 2015-02-10 at 22:13 +0000, Edgar Olougouna wrote:
> Andrew,
> I will take care of this case while my colleage (Obaid in cc) is out of office.
> Let's me review the issue and narrow the scope. I gather that you want to determine whether there's any protocol effect resulting from KB2992611, and the current lead you have been exploring are protected_storage, MS-BKRP, DPAPI regarding the use of Credential manager connected to Samba's DC.
> Please share any current information that may help me speed up investigation.

In particular, we now see more calls to BACKUPKEY_BACKUP_GUID, that is ServerWrap, vs the ClientWrap that we did have implemented.  In the past, our failure to implement this had no user-visible impact, and happened only once per login, now it prevents operation of credentials manager and is repeated often.  It looks like it has gone from a soft to a hard error in the client code, essentially. 

> I will follow-up as soon as I have an update.
> 
> Regards,
> Edgar
> 
> -----Original Message-----
> From: "Andrew Bartlett" <abartlet at samba.org>
> Sent: Tuesday, February 10, 2015 12:56 AM
> To: "Obaid Farooqi" <obaidf at microsoft.com>
> Cc: "MSSolve Case Email" <casemail at microsoft.com>; 
> "cifs-protocol at samba.org" <cifs-protocol at samba.org>
> Subject: [REG:115012312316449] Re: [cifs-protocol] Protocol changes in
> KB2992611 [115012312316449]
> 
> On Fri, 2015-02-06 at 23:23 +1300, Andrew Bartlett wrote: 
> > On Wed, 2015-02-04 at 16:08 +0000, Obaid Farooqi wrote: 
> > > Hi Andrew: 
> > > I have a fully patched system, Windows 8.1 enterprise. I verified
> that
> > > the updates include kb2992611. I joined the machine to Samba 
> > > domain before patching though.
> > 
> > Please do it the other way around.  That would match our steps.  It 
> > certainly appears to be an issue in new profiles, after the patches.
> > 
> > It may be enough to create a new user after patching, but you 
> > suggest below that this doesn't help.
> > 
> > > I still do not see the problem. I also created a new user using
> active
> > > directory users and computers from my Windows machine. No issues. 
> > > Logged in as the newly created user and tried credentials manger
> but
> > > still not issues. 
> > > 
> > > Is your setup on hyper-v virtual machines? Maybe you can send me
> both the VHDs and I can just debug on my side to see what is happening?
> 
> > > 
> > > I am not sure if opening credential manager generates any network
> traffic from workstation to DC. I did not see any when I opened credentials manager. 
> 
> > 
> > The issue when reproduced should show protected_storage traffic.  
> > You will see some during the first login in the unpatched case, and 
> > much more of it in the patched case, per the traces I included.
> > 
> > I hope this is enough to help you reproduce.  Otherwise, I'll see
> what
> > we can do. 
> 
> Are you still unable to reproduce, following these directions exactly? 
> 
> Thanks,
> 
> Andrew Bartlett
> 

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list