[cifs-protocol] Anonymous access to lsarpc changes (LSA Spoofing): Can I please get any doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925 - TrackingID#2205110040000761

Andrew Bartlett abartlet at samba.org
Mon May 23 19:32:44 UTC 2022


Thanks so much, that is what I wanted clarified.  I had hoped for
something broader (anonymous access will continue to bite us all), but
alas!

Andrew,

On Mon, 2022-05-23 at 17:24 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> After CVE-2022-26925, if a client connects to MS-EFSR server over lsarpc pipe and authenticates anonymous, use of any of the interfaces listed in MS-EFSR will receive RPC_S_ACCESS_DENIED. 
> I have filed a bug to document this in MS-EFSR.
> 
> Please let me know if this does not answer your question.
> 
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
> 
> -----Original Message-----
> From: Obaid Farooqi 
> Sent: Wednesday, May 18, 2022 2:33 AM
> To: 'Andrew Bartlett' <abartlet at samba.org>
> Cc: 'cifs-protocol mailing list' <cifs-protocol at lists.samba.org>; Tom Devey <Tom.Devey at microsoft.com>; 'Obaid Farooqi' <obaidf at microsoftsupport.com>
> Subject: RE: Anonymous access to lsarpc changes (LSA Spoofing): Can I please get any doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925 - TrackingID#2205110040000761
> 
> Hi Andrew:
> There is really no protocol level changes for CVE-2022-26925. Here is what is done to lockdown the anonymous access on lsarpc named pipe.
> 
> This change is only effective for MS-EFSR protocol. When the EFS service registers with lsarpc endpoint, it now specifies RPC_IF_ALLOW_SECURE_ONLY flag. This will reject any attempts to use MS-EFSR interfaces if the authentication is anonymous.
> You can read the details of how this is accomplished in the "Remarks" section of the following link https://docs.microsoft.com/en-us/windows/win32/api/rpcdce/ns-rpcdce-rpc_interface_template
> 
> 
> Please let me know if this doesn't answer your question.
> 
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
> 
> -----Original Message-----
> From: Obaid Farooqi
> Sent: Thursday, May 12, 2022 2:00 PM
> To: Andrew Bartlett <abartlet at samba.org>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Tom Devey <Tom.Devey at microsoft.com>; Obaid Farooqi <obaidf at microsoftsupport.com>
> Subject: RE: Anonymous access to lsarpc changes (LSA Spoofing): Can I please get any doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925 - TrackingID#2205110040000761
> 
> Hi Andrew:
> There are no doc changes for CVE-2022-26925. I am looking into it and let you know if any doc changes are warranted.
> 
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
> 
> -----Original Message-----
> From: Sreekanth Nadendla <srenaden at microsoft.com>
> Sent: Tuesday, May 10, 2022 9:16 PM
> To: Andrew Bartlett <abartlet at samba.org>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> Subject: Anonymous access to lsarpc changes (LSA Spoofing): Can I please get any doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925 - TrackingID#2205110040000761
> 
> Dochelp in Bcc
> 
> Hello Andrew, thank you for your question about open specifications concerning CVE-2022-26925. We have created incident 2205110040000761 to track the investigation for this issue.
> 
> Regards,
> Sreekanth Nadendla
> Microsoft Windows Open Specifications
> 
> -----Original Message-----
> From: Andrew Bartlett <abartlet at samba.org>
> Sent: Tuesday, May 10, 2022 5:43 PM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> Subject: [EXTERNAL] Anonymous access to lsarpc changes (LSA Spoofing): Can I please get any doc updates for https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2022-26925&data=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308da32f42d53%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=neqIHcJ0yOxqaSnv3GvSPOm%2B7jcZAjuvgoHMwFTzGcE%3D&reserved=0
> 
> Kia Ora Dochelp,
> 
> Can you please point me at the protocol Doc updates for CVE-2022-26925 please, as no errata is showing at
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winprotlp%2F8a9c667b-2825-46a8-8066-a80681233c33&data=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308da32f42d53%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QFn%2BXoN0KfGsOb2uKEAXds1gqiVfWFIAM4MBw9QfmvE%3D&reserved=0 and I believe it is important for Samba to be able to mitigate this issue also.
> 
> I have long wanted to lock down anonymous access to Samba's RPC services and I think this might allow us to do so in a way that matches windows, so details of the protocol visible changes would be most helpful.
> 
> Thanks!
> 
> Andrew Bartlett
> --
> Andrew Bartlett (he/him)       https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308da32f42d53%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=smzz3BFcQ8kNDyNlH37xz0wuEqvCk0fM%2B3PEAY5tT74%3D&reserved=0
> Samba Team Member (since 2001) https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308da32f42d53%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nFKGB3GGVBI5wn9sL9wy44aX4IuRZQXh28S%2B21ZE5d4%3D&reserved=0
> Samba Team Lead, Catalyst IT   https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308da32f42d53%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=c5YNbqxYcTtmQv9cYqfRoFfjtPrvlRwzqErT9IlX9ZQ%3D&reserved=0
> 
> Samba Development and Support, Catalyst IT - Expert Open Source Solutions
> 

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba




More information about the cifs-protocol mailing list