[cifs-protocol] [REG:115012312316449] Re: Protocol changes in KB2992611 [115012312316449]
Andrew Bartlett
abartlet at samba.org
Fri Feb 20 01:45:37 MST 2015
On Fri, 2015-02-20 at 17:03 +1300, Andrew Bartlett wrote:
> On Thu, 2015-02-19 at 22:25 +0000, Edgar Olougouna wrote:
> > Andrew,
> > After tracking down the corresponding code fix applied in MS14-066 /
> > KB2992611, we observe that this security update simply addresses a
> > Schannel code vulnerability, and does not appear to introduce any
> > protocol change.
> > It does trigger a local error when it detects the specific anomaly,
> > i.e. during certificate signature verification check, but as such the
> > same error was already returned in many other checks. If this occurs
> > on a client, then the calling application will obviously bail out.
> > Regarding your observation: “It looks like it has gone from a soft to
> > a hard error in the client code, essentially.”
> > We are concerned about what you meant by soft vs hard error. Can you
> > elaborate in more details?
>
> The server failure to give a good enough ClientWrap key (assuming that
> was/is the underlying issue) or failure to support ServerWrap went from
> being ignored, to causing the credentials manager not to open, and other
> failures (unable to create new profiles in Outlook, apparently).
>
> > The Schannel / SSPI error code in question:
> > SEC_E_ILLEGAL_MESSAGE
> > 0x80090326
> > The message received was unexpected or badly formatted.
>
> OK. So the next step will be to have you able to reproduce this locally
> with Windows 8.1 and credentials manager, or if not possible (which is
> still odd, it reproduced first time for us, as long as the updates were
> *before* the first ever domain join), then tell me what process to run
> ttt on so we can confirm what the failure was. If you can be explicit
> about the change, that may also give us clues.
Going back to Obiad's question earlier, I can offer you the disks of the
virtual machines. The run under linux KVM (using libvirt drivers), but
I'm sure you can work it out.
While I have many questions outstanding with dochelp, this issue is the
most pressing for me, because while we appear to have a fix, I still
don't understand what changed and why, and strongly suspect a larger
underlying issue.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list