[cifs-protocol] [MS-NRPC] 126.96.36.199 Session-Key Negotiation lacking details - TrackingID#2309080040007879
Jeff McCashland (He/him)
jeffm at microsoft.com
Fri Sep 8 20:45:51 UTC 2023
[support on CC, updated Subject with new SR ID]
We have created SR 2309080040007879 to track this issue. I will look into it and get back to you.
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
From: Stefan Metzmacher <metze at samba.org>
Sent: Thursday, September 7, 2023 11:27 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>; Ralph Böhme <slow at samba.org>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] Re: [MS-NRPC] DCERPC_NCA_S_FAULT_INVALID_TAG returned instead of STATUS_INVALID_LEVEL - TrackingID#2307200040007944
> We have updated [MS-NRPC] for the next release to address this issue. We have added the following Behavior Note to section 188.8.131.52.10:
> <197> Section 184.108.40.206.10: Windows RPC layer may return its own error code instead of STATUS_INVALID_LEVEL. The error code that a client gets depends on where the calling application is getting the error from:
> 1. If the client is running on Windows and calling Windows RPC APIs, they may get the Win32 error code RPC_S_INVALID_TAG ([MS-ERREF] section 2.2).
> 2. If the client is running on third-party operating systems or getting the error code from the wire, they may get nca_s_fault_invalid_tag (0x1C000006). ([C706-RSCP] DCE 1.1: Remote Procedure Call - Reject Status Codes and Parameters).
> 3. The conversion between the on-the-wire nca_s_fault_invalid_tag and Win32 error code RPC_S_INVALID_TAG is specified in [MS-RPCE] Section 220.127.116.11.5.
> I hope that helps.
In addition I think 18.104.22.168 Session-Key Negotiation could be much more verbose in a way that it would describe how safe downgrade is possible and how an unsafe downgrade is detected.
More information about the cifs-protocol