[cifs-protocol] Anonymous access to lsarpc changes (LSA Spoofing): Can I please get any doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925 - TrackingID#2205110040000761

Obaid Farooqi obaidf at microsoft.com
Mon May 23 17:24:42 UTC 2022


Hi Andrew:
After CVE-2022-26925, if a client connects to MS-EFSR server over lsarpc pipe and authenticates anonymous, use of any of the interfaces listed in MS-EFSR will receive RPC_S_ACCESS_DENIED. 
I have filed a bug to document this in MS-EFSR.

Please let me know if this does not answer your question.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Obaid Farooqi 
Sent: Wednesday, May 18, 2022 2:33 AM
To: 'Andrew Bartlett' <abartlet at samba.org>
Cc: 'cifs-protocol mailing list' <cifs-protocol at lists.samba.org>; Tom Devey <Tom.Devey at microsoft.com>; 'Obaid Farooqi' <obaidf at microsoftsupport.com>
Subject: RE: Anonymous access to lsarpc changes (LSA Spoofing): Can I please get any doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925 - TrackingID#2205110040000761

Hi Andrew:
There is really no protocol level changes for CVE-2022-26925. Here is what is done to lockdown the anonymous access on lsarpc named pipe.

This change is only effective for MS-EFSR protocol. When the EFS service registers with lsarpc endpoint, it now specifies RPC_IF_ALLOW_SECURE_ONLY flag. This will reject any attempts to use MS-EFSR interfaces if the authentication is anonymous.
You can read the details of how this is accomplished in the "Remarks" section of the following link https://docs.microsoft.com/en-us/windows/win32/api/rpcdce/ns-rpcdce-rpc_interface_template


Please let me know if this doesn't answer your question.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Obaid Farooqi
Sent: Thursday, May 12, 2022 2:00 PM
To: Andrew Bartlett <abartlet at samba.org>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Tom Devey <Tom.Devey at microsoft.com>; Obaid Farooqi <obaidf at microsoftsupport.com>
Subject: RE: Anonymous access to lsarpc changes (LSA Spoofing): Can I please get any doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925 - TrackingID#2205110040000761

Hi Andrew:
There are no doc changes for CVE-2022-26925. I am looking into it and let you know if any doc changes are warranted.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

-----Original Message-----
From: Sreekanth Nadendla <srenaden at microsoft.com>
Sent: Tuesday, May 10, 2022 9:16 PM
To: Andrew Bartlett <abartlet at samba.org>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
Subject: Anonymous access to lsarpc changes (LSA Spoofing): Can I please get any doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925 - TrackingID#2205110040000761

Dochelp in Bcc

Hello Andrew, thank you for your question about open specifications concerning CVE-2022-26925. We have created incident 2205110040000761 to track the investigation for this issue.

Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andrew Bartlett <abartlet at samba.org>
Sent: Tuesday, May 10, 2022 5:43 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
Subject: [EXTERNAL] Anonymous access to lsarpc changes (LSA Spoofing): Can I please get any doc updates for https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2022-26925&data=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308da32f42d53%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=neqIHcJ0yOxqaSnv3GvSPOm%2B7jcZAjuvgoHMwFTzGcE%3D&reserved=0

Kia Ora Dochelp,

Can you please point me at the protocol Doc updates for CVE-2022-26925 please, as no errata is showing at
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winprotlp%2F8a9c667b-2825-46a8-8066-a80681233c33&data=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308da32f42d53%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QFn%2BXoN0KfGsOb2uKEAXds1gqiVfWFIAM4MBw9QfmvE%3D&reserved=0 and I believe it is important for Samba to be able to mitigate this issue also.

I have long wanted to lock down anonymous access to Samba's RPC services and I think this might allow us to do so in a way that matches windows, so details of the protocol visible changes would be most helpful.

Thanks!

Andrew Bartlett
--
Andrew Bartlett (he/him)       https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308da32f42d53%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=smzz3BFcQ8kNDyNlH37xz0wuEqvCk0fM%2B3PEAY5tT74%3D&reserved=0
Samba Team Member (since 2001) https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308da32f42d53%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nFKGB3GGVBI5wn9sL9wy44aX4IuRZQXh28S%2B21ZE5d4%3D&reserved=0
Samba Team Lead, Catalyst IT   https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308da32f42d53%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=c5YNbqxYcTtmQv9cYqfRoFfjtPrvlRwzqErT9IlX9ZQ%3D&reserved=0

Samba Development and Support, Catalyst IT - Expert Open Source Solutions




More information about the cifs-protocol mailing list