[cifs-protocol] [REG:115012312316449] Re: Protocol changes in KB2992611 [115012312316449]

Andrew Bartlett abartlet at samba.org
Fri Feb 20 01:45:37 MST 2015 

On Fri, 2015-02-20 at 17:03 +1300, Andrew Bartlett wrote:
> On Thu, 2015-02-19 at 22:25 +0000, Edgar Olougouna wrote:
> > Andrew,
> > After tracking down the corresponding code fix applied in MS14-066 /
> > KB2992611, we observe that this security update simply addresses a
> > Schannel code vulnerability, and does not appear to introduce any
> > protocol change.
> > It does trigger a local error when it detects the specific anomaly,
> > i.e. during certificate signature verification check, but as such the
> > same error was already returned in many other checks. If this occurs
> > on a client, then the calling application will obviously bail out.
> > Regarding your observation: “It looks like it has gone from a soft to
> > a hard error in the client code, essentially.”
> > We are concerned about what you meant by soft vs hard error. Can you
> > elaborate in more details?
> 
> The server failure to give a good enough ClientWrap key (assuming that
> was/is the underlying issue) or failure to support ServerWrap went from
> being ignored, to causing the credentials manager not to open, and other
> failures (unable to create new profiles in Outlook, apparently). 
> 
> > The Schannel / SSPI error code in question:
> > SEC_E_ILLEGAL_MESSAGE 
> > 0x80090326
> > The message received was unexpected or badly formatted.
> 
> OK.  So the next step will be to have you able to reproduce this locally
> with Windows 8.1 and credentials manager, or if not possible (which is
> still odd, it reproduced first time for us, as long as the updates were
> *before* the first ever domain join), then tell me what process to run
> ttt on so we can confirm what the failure was.  If you can be explicit
> about the change, that may also give us clues. 

Going back to Obiad's question earlier, I can offer you the disks of the
virtual machines.  The run under linux KVM (using libvirt drivers), but
I'm sure you can work it out. 

While I have many questions outstanding with dochelp, this issue is the
most pressing for me, because while we appear to have a fix, I still
don't understand what changed and why, and strongly suspect a larger
underlying issue. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list