SMB2 server should require signed Validate Negotiate requests
When both the client and server enable, but do not require, signing, the SMB server does not check signatures of signed requests, but signs responses to signed requests.. If either the server or the client require signing, the SMB server checks the signature of signed requests, and rejects unsigned ones. This is effective because SMB2's validate negotiate ioctl provides downgrade detection, as it replays the unsigned negotiate under a signed session.
The protocol requires that validate negotiate requests and replies ALWAYS be signed. However, the SMB2 server does not actually enforce this. As such, in a case where the client requires signing, but the server does not, a MITM can downgrade the server's understanding of the client's signing capabilities, and thus cause the server to never check signatures.
Updated by Electric Monk about 1 year ago
- % Done changed from 0 to 100
- Status changed from In Progress to Closed
commit 4ad35fa3117b4f36004f76885e267a46c738a794 Author: Matt Barden <firstname.lastname@example.org> Date: 2019-11-14T14:23:07.000Z 11038 SMB2 server should require signed Validate Negotiate requests Reviewed by: Gordon Ross <email@example.com> Reviewed by: Evan Layton <firstname.lastname@example.org> Reviewed by: Andrew Stormont <email@example.com> Approved by: Garrett D'Amore <firstname.lastname@example.org>