Now that the badlock bug and fixes are available, it is too much for some companies
Andrew Bartlett
abartlet at samba.org
Thu Apr 14 09:50:29 UTC 2016
On Thu, 2016-04-14 at 02:36 -0700, Richard Sharpe wrote:
> On Wed, Apr 13, 2016 at 11:58 PM, Andrew Bartlett <abartlet at samba.org
> > wrote:
> > On Wed, 2016-04-13 at 11:52 -0700, Richard Sharpe wrote:
> >
> > >
> > > I am suggesting it as an interim solution that mitigates the risk
> > > while we get the complete solution through the organization
> > > because
> > > QA
> > > is going to require a long testing cycle because of the amount of
> > > code
> > > change that it involves.
> > >
> >
> > Do you enforce SMB signing in your product? If not, MITM attacks
> > against SMB (and so ncacn_np) are much easier to do than exploiting
> > this issue. The reason the release came with so many other fixes
> > is
> > that only with them all fixed and signing required on all protocols
> > doe
> > s it make sense.
>
> I don't understand how what you said addresses the issue I raised. We
> are working on getting all the changes in and have raised tickets to
> do so,
>
> What I am referring to is a way that something can be done quickly
> while the rest of it is integrated into the product and tested.
>
> Also, as I have raised elsewhere, any competent QA organization is
> going to require reproducers to demonstrate that the claimed problem
> exists in the code before it was fixed and is gone after the fix.
What I'm saying is that, unless this flaw is the only way to make an
unsigned connection to your server, then there is no need to rush here
- there are other problems, known for decades, that are larger, but we
often chose not to close for $REASONS.
For the longest time, we chose performance over security on the LAN,
sadly.
That leaves you with the DoS issues, and even those would only take out
smbd in the easy case, and might take out winbindd in the harder case.
Again, that avoids a little of the need to panic in the NAS situation.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list