[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [EXTERNAL] Looking for missing documentation (MS-KILE?) for CVE-2024-21427 - Tra
From: Obaid Farooqi via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2024-04-24 20:44:25
Message-ID: BL1PR21MB3091979936EB216FC7B7AA11C6102 () BL1PR21MB3091 ! namprd21 ! prod ! outlook ! com
[Download RAW message or body]
Hi Andrew:
For the questions posed below by you, we have finished our investigation.
CVE-2024-21427: There is no on the wire changes; 21427 made sure we enforce=
d auth silo checks on AS-REQs when they weren't to KRBTGT. We already enfor=
ced them on TGS.
CVE-2024-20674: There is no on the wire changes; 20674 was a logic failure =
in our parsing of an error code.
PAC signature changes: Paul provided you with the file with structures and =
details in a meeting.
Please let me know if this does not answer you questions.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
From: Jeff McCashland (He/him) <jeffm@microsoft.com>
Sent: Monday, April 8, 2024 9:25 PM
To: Andrew Bartlett <abartlet@samba.org>
Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>; Microsoft S=
upport <supportmail@microsoft.com>
Subject: Re: [EXTERNAL] Looking for missing documentation (MS-KILE?) for CV=
E-2024-21427 - TrackingID#2404090040000707
[DocHelp to BCC, support on CC, SR ID on Subject]
Hi Andrew,
Thank you for your questions. I will respond to this email 3 times to creat=
e a separate thread (and SR ID) for each of these questions.
We have created SR 2404090040000707 to track the question about CVE-2024-21=
427. One of our engineers will respond.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol =
Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) P=
acific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globale=
nglish | Extension 1138300
________________________________
From: Andrew Bartlett <abartlet@samba.org<mailto:abartlet@samba.org>>
Sent: Monday, April 8, 2024 4:26 PM
To: Interoperability Documentation Help <dochelp@microsoft.com<mailto:doche=
lp@microsoft.com>>
Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org<mailto:cifs-p=
rotocol@lists.samba.org>>
Subject: [EXTERNAL] Looking for missing documentation (MS-KILE?) for CVE-20=
24-21427, CVE-2024-20674 and PAC signature changes
Kia Ora Dochelp,
Recently we have seen CVE-2024-21427 and CVE-2024-20674 issued.
The first CVE-2024-21427, we know what the details are from our report, but=
we don't have details of the protocol change from the MS side, so would li=
ke the full details in case there were protocol changes we didn't anticipat=
e.
We don't have any details of the protocol changes for CVE-2024-20674, and a=
s it is marked Critical we would like to ensure we don't have a similar iss=
ue or can follow any protocol changes made for interoperability.
Finally, we have noticed in November (or earlier) that the Server signature=
in the Kerberos PAC is no longer RC4_HMAC, even with RC4 tickets. This ma=
kes a lot of sense, but I don't see any documentation and I would like to u=
pdate our implementation to match.
We would greatly appreciate any information that is available on these rece=
nt Kerberos protocol changes.
Thanks,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org<https://samba.org/>
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle23
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Andrew:<o:p></o:p></p>
<p class="MsoNormal">For the questions posed below by you, we have finished our \
investigation.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">CVE-2024-21427: There is no on the wire changes; 21427 made sure \
we enforced auth silo checks on AS-REQs when they weren’t to KRBTGT. We already \
enforced them on TGS.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">CVE-2024-20674: There is no on the wire changes; <span \
style="font-size:11.0pt"> 20674 was a logic failure in our parsing of an error \
code.<o:p></o:p></span></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">PAC signature changes: Paul provided you with the file with \
structures and details in a meeting.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Please let me know if \
this does not answer you questions.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Obaid \
Farooqi<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt">Escalation Engineer | Microsoft<o:p></o:p></span></p> </div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Jeff McCashland \
(He/him) <jeffm@microsoft.com> <br>
<b>Sent:</b> Monday, April 8, 2024 9:25 PM<br>
<b>To:</b> Andrew Bartlett <abartlet@samba.org><br>
<b>Cc:</b> cifs-protocol mailing list <cifs-protocol@lists.samba.org>; \
Microsoft Support <supportmail@microsoft.com><br> <b>Subject:</b> Re: \
[EXTERNAL] Looking for missing documentation (MS-KILE?) for CVE-2024-21427 - \
TrackingID#2404090040000707<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black">[DocHelp to BCC, \
support on CC, SR ID on Subject]<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;color:black"><o:p> </o:p></span></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black">Hi \
Andrew,<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;color:black"><o:p> </o:p></span></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black">Thank you for your \
questions. I will respond to this email 3 times to create a separate thread (and SR \
ID) for each of these questions. <o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;color:black"><o:p> </o:p></span></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black">We have created SR \
2404090040000707 to track the question about CVE-2024-21427. One of our engineers \
will respond. <o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;color:black"><o:p> </o:p></span></p> </div>
<p><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Best \
regards,</span><b><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy"><br> \
<i>Jeff M</i></span></b><b><i><sup><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002060">c</span></sup></i></b><b><i><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Cashland \
(He/him) </span></i></b><b><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">| Senior \
Escalation Engineer<i> | Microsoft</i></span></b><b><span \
style="font-family:"Arial",sans-serif;color:navy"> </span></b><b><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Protocol \
Open Specifications Team</span></b><o:p></o:p></p> <p><span \
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue">Phone: +1 \
(425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and \
Canada)</span><o:p></o:p></p> <p><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">Local \
country phone number found here: </span><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#2F5496"><a \
href="http://support.microsoft.com/globalenglish">http://support.microsoft.com/globalenglish</a></span><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue"> | \
Extension 1138300</span><o:p></o:p></p> <p> <o:p></o:p></p>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;color:black"><o:p> </o:p></span></p> </div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> Andrew \
Bartlett <<a href="mailto:abartlet@samba.org">abartlet@samba.org</a>><br> \
<b>Sent:</b> Monday, April 8, 2024 4:26 PM<br> <b>To:</b> Interoperability \
Documentation Help <<a \
href="mailto:dochelp@microsoft.com">dochelp@microsoft.com</a>><br> \
<b>Cc:</b> cifs-protocol mailing list <<a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>><br> \
<b>Subject:</b> [EXTERNAL] Looking for missing documentation (MS-KILE?) for \
CVE-2024-21427, CVE-2024-20674 and PAC signature changes</span> <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">Kia Ora Dochelp,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Recently we have seen CVE-2024-21427 and CVE-2024-20674 \
issued.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The first <span style="font-size:11.0pt">CVE-2024-21427</span>, \
we know what the details are from our report, but we don't have details of the \
protocol change from the MS side, so would like the full details in case there were \
protocol changes we didn't anticipate. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We don't have any details of the protocol changes for <span \
style="font-size:11.0pt"> CVE-2024-20674, and as it is marked Critical we would like \
to ensure we don't have a similar issue or can follow any protocol changes made for \
interoperability. </span><o:p></o:p></p> <p class="MsoNormal"><span \
style="font-size:11.0pt"><o:p> </o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt">Finally, we have noticed in November (or earlier) that the \
Server signature in the Kerberos PAC is no longer RC4_HMAC, even with RC4 tickets. \
This makes a lot of sense, but I don't see any documentation and I would like \
to update our implementation to match.<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p> <p \
class="MsoNormal">We would greatly appreciate any information that is available on \
these recent Kerberos protocol changes. <o:p></o:p></p> <p \
class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt">Thanks,<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-size:11.0pt">Andrew \
Bartlett<o:p></o:p></span></p> <pre>-- <o:p></o:p></pre>
<p class="MsoNormal">Andrew Bartlett (he/him) <a \
href="https://samba.org/~abartlet/"> https://samba.org/~abartlet/</a><o:p></o:p></p>
<p class="MsoNormal">Samba Team Member (since 2001) <a href="https://samba.org/">
https://samba.org</a><o:p></o:p></p>
<p class="MsoNormal">Samba Team Lead \
<a href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba</a><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:13.0pt">Catalyst.Net \
Ltd<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:13.0pt"><o:p> </o:p></span></p> <p class="MsoNormal">Proudly \
developing Samba for Catalyst.Net Ltd - a Catalyst IT group company<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Samba Development and \
Support: <a href="https://catalyst.net.nz/services/samba"> \
https://catalyst.net.nz/services/samba</a><o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">Catalyst IT - Expert \
Open Source Solutions<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
--===============7010041125379589208==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic