SMB3 compression exploit in Windows: ADV200005
Andrew Bartlett
abartlet at samba.org
Wed Mar 11 00:31:20 UTC 2020
I wanted to write a public heads up that Microsoft has published an
advisory about an exploit in their client and server SMBv3 compression
code.
We may start to get questions about this in Samba, and Samba users with
windows clients might wish to carefully consider the guidance here in
the meantime:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
On the Samba side of things while our lzexpress compression code
sucks[1], it isn't use in a vulnerable context, and certainly not in
SMB3.
Andrew Bartlett
[1] https://bugzilla.samba.org/show_bug.cgi?id=14190
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list