Now that the badlock bug and fixes are available, it is too much for some companies
realrichardsharpe at gmail.com
Thu Apr 14 09:42:30 UTC 2016
On Wed, Apr 13, 2016 at 11:58 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Wed, 2016-04-13 at 11:52 -0700, Richard Sharpe wrote:
>> I am suggesting it as an interim solution that mitigates the risk
>> while we get the complete solution through the organization because
>> is going to require a long testing cycle because of the amount of
>> change that it involves.
> Do you enforce SMB signing in your product? If not, MITM attacks
> against SMB (and so ncacn_np) are much easier to do than exploiting
> this issue. The reason the release came with so many other fixes is
> that only with them all fixed and signing required on all protocols doe
> s it make sense.
We do what the client asks for in that regard. With SMB2 dont clients
drop the connection if they ask for signing and the server refuses to
> The rest is a pile of correctness stuff that is worthwhile, but put
> another way, if the front door is unlocked, checking the deadbolt on
> the patio isn't much help.
More information about the samba-technical