AFS-USERS Archives

June 2011

AFS-USERS@LISTSERV.DARTMOUTH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: [OpenAFS] Microsoft Security Hot Fix MS11-043 breaks OpenAFS client (fwd)
From:
Richard Brittain <[log in to unmask]>
Reply To:
AFS users at Dartmouth <[log in to unmask]>
Date:
Tue, 21 Jun 2011 16:33:39 -0400
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (80 lines) 
Sorry for the slow followup with this issue.  From the testing we've done 
locally, we see no complete failure of the client after applying the 
latest Windows Updates, but we can generate data corruption in very 
specific circumstances.

- Symantec Endpoint Protection "Network Threat Protection" installed and 
enabled (tested with v 11.0.5, but 11.0.4 may also be vulnerable)

AND

- Network interface MTU (Maximum Transmission Unit) set to something 
smaller than the default (1500).  This setting is NOT configured by 
default, and will not be set on XP or Win7 "out of the box".  However, it 
is known to be set by some (misguided) software which tries to probe the 
local network and optimize the settings.

Checking your system for the MTU setting is different on XP and Win7

Windows 7:
Open a command shell and type

  netsh interface ipv4 show subinterfaces

- this will display some configuration details of all the network 
interfaces know to the system.  Look for the "Local Area Connection" - it 
should have a value of "1500".  Note that VPN and some other types may 
report "1400".

Windows XP:
Open a command shell and type (all 1 line)

  reg query 
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ /s

This dumps the network interface configuration for all the interfaces on 
the system (there will be several).  You need to look for a key named 
"MTU", which might have a value like "0x514".  On a standard system it 
won't be found at all.  It is hard to look up the value exactly because 
the network interfaces are named by unique identifiers which look like 
random strings.

If the MTU key is set on XP, or has a value of anything other than 1500 on 
Win7, email Research Computing for advice.

On Thu, 16 Jun 2011, Richard Brittain wrote:

> We learned today that an update issued by Microsoft on tuesday is known to 
> break all versions of the OpenAFS client for Windows.  The patch (KB2536276) 
> is considered a critical security patch and was bundled in the default update 
> set for all Windows versions.  Most likely some campus machines already have 
> it installed.
>
> The patch fixes security issues in the SMB redirector, which is a critical 
> component of the OpenAFS client.
>
> The SMB redirector is also used by Symantec Endpoint Protection, as part of 
> it's filtering of network traffic, and there have been known conflicts in the 
> past between OpenAFS and SEP, at least for older versions of SEP.
> My initial testing on a 32-bit XP system with SEP 11.0.5 shows that the new 
> MS patch does not break the client completely, but seems to re-introduce the 
> data corruption bug which we spent so much time tracking down 2 years ago. 
> This is worse than failing to work at all.
>
> There is very little information yet from the OpenAFS community.
>
> Tomorrow I'll test Windows7 with SEP.
>
> The OpenAFS developers have a completely new client which does not use the 
> SMB redirector at all, but uses the Windows Installable File System (IFS) 
> framework.  Eventually this version will provide many other benefits besides 
> bypassing this problem, but the software isn't yet ready for public release.
>
> Richard

-- 
Richard Brittain,  Research Computing Group,
                    Computing Services, 37 Dewey Field Road, HB6219
                    Dartmouth College, Hanover NH 03755
[log in to unmask] 6-2085

ATOM RSS1 RSS2