We learned today that an update issued by Microsoft on tuesday is known to
break all versions of the OpenAFS client for Windows. The patch (KB2536276) is
considered a critical security patch and was bundled in the default update set
for all Windows versions. Most likely some campus machines already have it
installed.
The patch fixes security issues in the SMB redirector, which is a critical
component of the OpenAFS client.
The SMB redirector is also used by Symantec Endpoint Protection, as part of
it's filtering of network traffic, and there have been known conflicts in the
past between OpenAFS and SEP, at least for older versions of SEP.
My initial testing on a 32-bit XP system with SEP 11.0.5 shows that the new MS
patch does not break the client completely, but seems to re-introduce the data
corruption bug which we spent so much time tracking down 2 years ago. This is
worse than failing to work at all.
There is very little information yet from the OpenAFS community.
Tomorrow I'll test Windows7 with SEP.
The OpenAFS developers have a completely new client which does not use the SMB
redirector at all, but uses the Windows Installable File System (IFS)
framework. Eventually this version will provide many other benefits besides
bypassing this problem, but the software isn't yet ready for public release.
Richard
--
Richard Brittain, Research Computing Group,
Computing Services, 37 Dewey Field Road, HB6219
Dartmouth College, Hanover NH 03755
[log in to unmask] 6-2085
---------- Forwarded message ----------
Date: Thu, 16 Jun 2011 22:19:26 -0400 (EDT)
From: Richard Brittain <[log in to unmask]>
To: Jeffrey Altman <[log in to unmask]>
Cc: Richard Brittain <[log in to unmask]>
Subject: Re: [OpenAFS] Microsoft Security Hot Fix MS11-043 breaks OpenAFS
client
My first experience with this MS update applied:
XP, 32-bit, 1.5.latest OpenAFS, Symantec Endpoint Protection 11.0.5
installed and active
=> OpenAFS client still seems to work, hangs occasionally, but on testing,
shows the data corruption symptoms which we investigated thoroughly a couple of
years ago (MTU-related)
Symantec Endpoint Protection DISABLED (through their interface) but still
installed
==> OpenAFS client performance is back to normal, and passes the data
verification test
Backed out the MS11-043 (KB2536276) patch, re-enabled SEP and re-tested
==> OpenAFS client works as expected and passes the data verification test.
Since we know Symantec does something funky with SMB too, to trap and examine
all the network traffic, maybe this bypasses Microsoft's SMB validation test?
Richard Brittain
On Thu, 16 Jun 2011, Jeffrey Altman wrote:
> Please be aware that this past Tuesday Microsoft pushed out a Security
> Fix for the Microsoft SMB Redirector for all versions of Windows back to
> XP and Server 2003. This hot fix, MS11-043, patches a critical
> vulnerability in the SMB Redirector that can result in Remote Code
> Execution. As a result I cannot recommend that this hot fix not be
> applied. MS11-043 replaces MS11-019 and MS10-020.
>
> https://www.microsoft.com/technet/security/bulletin/ms11-043.mspx
>
> MS11-043 when applied will break the OpenAFS Client. The SMB protocol
> responses issued by the OpenAFS SMB server implementation do not pass
> the validation checks now imposed by the Microsoft SMB redirector.
>
> At this time I have no knowledge of what changes were made to the
> Microsoft SMB redirector and in what manner the OpenAFS SMB Server
> responses are invalid.
>
> The OpenAFS IFS implementation is not quite ready for broad production
> use but it may be the only option available to the community at this time.
>
> Further information to follow on a possible rushed release cycle for the
> IFS functionality to the general public in its current state.
>
> Jeffrey Altman
--
Richard Brittain, Research Computing Group,
Computing Services, 37 Dewey Field Road, HB6219
Dartmouth College, Hanover NH 03755
[log in to unmask] 6-2085
|
