[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] Anonymous access to lsarpc changes (LSA Spoofing): Can I please get any doc upda
From: Andrew Bartlett via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2022-05-23 19:32:44
Message-ID: 080a0ce0291ba351bf45ae6bead788f54ccd15a8.camel () samba ! org
[Download RAW message or body]
Thanks so much, that is what I wanted clarified. I had hoped for
something broader (anonymous access will continue to bite us all), but
alas!
Andrew,
On Mon, 2022-05-23 at 17:24 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> After CVE-2022-26925, if a client connects to MS-EFSR server over lsarpc pipe and \
> authenticates anonymous, use of any of the interfaces listed in MS-EFSR will \
> receive RPC_S_ACCESS_DENIED. I have filed a bug to document this in MS-EFSR.
>
> Please let me know if this does not answer your question.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Obaid Farooqi
> Sent: Wednesday, May 18, 2022 2:33 AM
> To: 'Andrew Bartlett' <abartlet@samba.org>
> Cc: 'cifs-protocol mailing list' <cifs-protocol@lists.samba.org>; Tom Devey \
> <Tom.Devey@microsoft.com>; 'Obaid Farooqi' \
> <obaidf@microsoftsupport.com>
> Subject: RE: Anonymous access to lsarpc changes (LSA Spoofing): Can I please get \
> any doc updates for \
> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925 - \
> TrackingID#2205110040000761
> Hi Andrew:
> There is really no protocol level changes for CVE-2022-26925. Here is what is done \
> to lockdown the anonymous access on lsarpc named pipe.
> This change is only effective for MS-EFSR protocol. When the EFS service registers \
> with lsarpc endpoint, it now specifies RPC_IF_ALLOW_SECURE_ONLY flag. This will \
> reject any attempts to use MS-EFSR interfaces if the authentication is anonymous. \
> You can read the details of how this is accomplished in the "Remarks" section of \
> the following link \
> https://docs.microsoft.com/en-us/windows/win32/api/rpcdce/ns-rpcdce-rpc_interface_template
>
>
> Please let me know if this doesn't answer your question.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Obaid Farooqi
> Sent: Thursday, May 12, 2022 2:00 PM
> To: Andrew Bartlett <abartlet@samba.org>
> Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>; Tom Devey \
> <Tom.Devey@microsoft.com>; Obaid Farooqi \
> <obaidf@microsoftsupport.com>
> Subject: RE: Anonymous access to lsarpc changes (LSA Spoofing): Can I please get \
> any doc updates for \
> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925 - \
> TrackingID#2205110040000761
> Hi Andrew:
> There are no doc changes for CVE-2022-26925. I am looking into it and let you know \
> if any doc changes are warranted.
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Sreekanth Nadendla <srenaden@microsoft.com>
> Sent: Tuesday, May 10, 2022 9:16 PM
> To: Andrew Bartlett <abartlet@samba.org>
> Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>
> Subject: Anonymous access to lsarpc changes (LSA Spoofing): Can I please get any \
> doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925 \
> - TrackingID#2205110040000761
> Dochelp in Bcc
>
> Hello Andrew, thank you for your question about open specifications concerning \
> CVE-2022-26925. We have created incident 2205110040000761 to track the \
> investigation for this issue.
> Regards,
> Sreekanth Nadendla
> Microsoft Windows Open Specifications
>
> -----Original Message-----
> From: Andrew Bartlett <abartlet@samba.org>
> Sent: Tuesday, May 10, 2022 5:43 PM
> To: Interoperability Documentation Help <dochelp@microsoft.com>
> Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>
> Subject: [EXTERNAL] Anonymous access to lsarpc changes (LSA Spoofing): Can I please \
> get any doc updates for \
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc.microsoft.com \
> %2Fupdate-guide%2Fvulnerability%2FCVE-2022-26925&data=05%7C01%7Cobaidf%40microso \
> ft.com%7C827e485b985249f8d91308da32f42d53%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0 \
> %7C637878321567444176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC \
> JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=neqIHcJ0yOxqaSnv3GvSPOm%2B7jcZAjuvgoHMwFTzGcE%3D&reserved=0
>
> Kia Ora Dochelp,
>
> Can you please point me at the protocol Doc updates for CVE-2022-26925 please, as \
> no errata is showing at \
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com \
> %2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winprotlp%2F8a9c667b-2825-46a8-8066-a8 \
> 0681233c33&data=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308da32f42 \
> d53%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown%7CTWFp \
> bGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QFn%2BXoN0KfGsOb2uKEAXds1gqiVfWFIAM4MBw9QfmvE%3D&reserved=0 \
> and I believe it is important for Samba to be able to mitigate this issue also.
> I have long wanted to lock down anonymous access to Samba's RPC services and I \
> think this might allow us to do so in a way that matches windows, so details of the \
> protocol visible changes would be most helpful.
> Thanks!
>
> Andrew Bartlett
> --
> Andrew Bartlett (he/him) \
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abart \
> let%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308da32f42d53% \
> 7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown%7CTWFpbGZs \
> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=smzz3BFcQ8kNDyNlH37xz0wuEqvCk0fM%2B3PEAY5tT74%3D&reserved=0
> Samba Team Member (since 2001) \
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&d \
> ata=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308da32f42d53%7C72f988bf86 \
> f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi \
> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nFKGB3GGVBI5wn9sL9wy44aX4IuRZQXh28S%2B21ZE5d4%3D&reserved=0
> Samba Team Lead, Catalyst IT \
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2F \
> services%2Fsamba&data=05%7C01%7Cobaidf%40microsoft.com%7C827e485b985249f8d91308d \
> a32f42d53%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878321567444176%7CUnknown% \
> 7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3 \
> 000%7C%7C%7C&sdata=c5YNbqxYcTtmQv9cYqfRoFfjtPrvlRwzqErT9IlX9ZQ%3D&reserved=0
>
> Samba Development and Support, Catalyst IT - Expert Open Source Solutions
>
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic