[Samba] FW: Microsoft Security Bulletin MS02-070: Flaw in SMB Signing Could Enable Group Policy to be Modified (309376)

Barry, Christopher cbarry at infiniconsys.com
Wed Jan 22 21:47:00 GMT 2003


All,
	Could this patch in any way cause problems with samba?

Thanks,

--
Christopher Barry
Manager of Information Systems
InfiniCon Systems
http://www.infiniconsys.com
office:610.233.ISIS (4747)
direct:610.233.4870
cell:267.879.8321


-----Original Message-----
From: Microsoft
[mailto:0_43315_DF3995CE-B70B-4C45-84DF-1BC91F60239E_US at Newsletters.Micr
osoft.com]
Sent: Wednesday, January 22, 2003 4:29 PM
To: Barry, Christopher
Subject: Microsoft Security Bulletin MS02-070: Flaw in SMB Signing Could
Enable Group Policy to be Modified (309376)


-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Flaw in SMB Signing Could Enable Group Policy to be
            Modified (309376)
Released:   11 December 2002
Revised:    22 January 2003 (version 2.0)
Software:   Microsoft Windows 2000 
            Microsoft Windows XP
Impact:     Modify group policy.
Max Risk:   Moderate 

Bulletin:   MS02-070

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-070.asp.
- ----------------------------------------------------------------------

Reason for Revision:
====================
Subsequent to releasing this bulletin it was determined that the
fix was not included in Microsoft Windows XP Service Pack 1. The
bulletin has been updated to reflect this, and the patch had been 
updated so that it installs on Windows XP Service Pack 1 systems.
Customers who are currently running XP Service Pack 1 should apply 
the patch.

Issue:
======
Server Message Block (SMB) is a protocol natively supported by all
versions of Windows. Although nominally a file-sharing protocol, it
is used for other purposes as well, the most important of which is
disseminating group policy information from domain controllers to
newly logged on systems. Beginning with Windows 2000, it is possible
to improve the integrity of SMB sessions by digitally signing all
packets in a session. Windows 2000 and Windows XP can be configured
to always sign, never sign, or sign only if the other party requires
it. 

A flaw in the implementation of SMB Signing in Windows 2000 and
Windows XP could enable an attacker to silently downgrade the SMB
Signing settings on an affected system. To do this, the attacker
would need access to the session negotiation data as it was exchanged
between a client and server, and would need to modify the data in a
way that exploits the flaw. This would cause either or both systems
to send unsigned data regardless of the signing policy the
administrator had set. After having downgraded the signing setting,
the attacker could continue to monitor the session and change data
within it; the lack of signing would prevent the communicants from
detecting the changes. 

Although this vulnerability could be exploited to expose any SMB
session to tampering, the most serious case would involve changing
group policy information as it was being disseminated from a Windows
2000 domain controller to a newly logged-on network client. By doing
this, the attacker could take actions such as adding users to the
local Administrators group or installing and running code of his or
her choice on the system.

Mitigating Factors:
====================
 - Exploiting the vulnerability would require the attacker to have
   significant network access already. In most cases, the attacker
   would need to be located on the same network segment as one of
   the two participants in the SMB session. 
 - The attacker would need to exploit the vulnerability separately
   for each SMB session he or she wanted to interfere with. 
 - The vulnerability would not enable the attacker to change group
   policy on the domain controller, only to change it as it flowed
   to the client. 
 - SMB Signing is disabled by default on Windows 2000 and Windows
   XP because of the performance penalty it exacts. On networks
   where SMB Signing has not been enabled, the vulnerability would
   pose no additional risk - because SMB data would already be
   vulnerable to modification.

Risk Rating:
============
 - Windows 2000: Moderate 
 - Windows XP: Low

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-070.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" 
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS 
OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A 
PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE 
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT 
CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF
SUCH 
DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR 
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT APPLY.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPi7jkI0ZSRQxA/UrAQE5Rwf+Mdiw4voN7gHpXboUaEQQD5pqYXsH9mta
clX7elWmpyNO7OGIFtYHnTd9xaxzXo7EU8XU4c71EI+E0Gwth9d52253gWKNznQg
Z1qmv2kfvTRS4ZAuoeGYq+ZCLUqyYHgdtFhlCo+LLJ6mRk43dP5QdggWf9rTKdnv
+1FvbksSWFtnuh6FvDiHwLZ4wjmGaArY6FX82s71QgL3yhVeEFCMYGkwUIg+K5CQ
jJqDy/eAj3WI0MyEX+zSOR+Ns2rvnwgkD4z/NJzoz/kEfZfDkW0gmqNaY17L8xEu
GSBY7ILugmyk+hNlYze7xBYOHQmlHtxkPAozZocgp3rYw6DBuO3vyA==
=6myz
-----END PGP SIGNATURE-----



*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.



More information about the samba mailing list