[jcifs] NTLM implementation security issue

Michael B Allen ioplex at gmail.com
Fri Dec 22 01:01:54 UTC 2017


Hi Moritz,

Great work finding this. This only affects a client initiating so I
think the impact is going to be moderate if even that.

But great find and thanks for reporting it.

I added a link on the JCIFS site to your jcifs-ng project which looks
very interesting.

Keep up the good work.

Mike

On Tue, Dec 19, 2017 at 5:06 AM, Moritz Bechler via jCIFS
<jcifs at lists.samba.org> wrote:
> Hi,
>
> working on the SPNEGO/NTLM support in jcifs-ng I stubled over an
> security issue in the NTLM implementation originating from the original
> jcifs codebase.
>
> If NTLMSSP_NEGOTIATE_SIGN is set but the NTLMSSP_NEGOTIATE_KEY_EXCH flag
> is cleared (e.g. by an attacker) the Type3Message will include the
> session key in the clear.
>
> This does not so much affect the use in SMB signing in the original
> jcifs - as signing cannot be enforced (i.e. does not provide any real
> security guarantees anyways).
>
> But as it might affect people using the NTLM implementation on it's own
> or maybe other forks I'm just making this public here.
>
> Fix in jcifs-ng is
> https://github.com/AgNO3/jcifs-ng/commit/6bcf3e4b3c61b0cfe154d05b3869870c31df6205
> (included in 2.0.4)
>
> CVE has been requested, will update when available.
>
>
> regards
>
> Moritz
>
> --
> AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731
> Persönlich haftend:
> Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820,
> Vertreten durch Joachim Keltsch
>



-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/



More information about the jCIFS mailing list