Project

General

Profile

Feature #11038

SMB2 server should require signed Validate Negotiate requests

Added by Gordon Ross 6 months ago. Updated 8 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
2019-05-15
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

When both the client and server enable, but do not require, signing, the SMB server does not check signatures of signed requests, but signs responses to signed requests.. If either the server or the client require signing, the SMB server checks the signature of signed requests, and rejects unsigned ones. This is effective because SMB2's validate negotiate ioctl provides downgrade detection, as it replays the unsigned negotiate under a signed session.

The protocol requires that validate negotiate requests and replies ALWAYS be signed. However, the SMB2 server does not actually enforce this. As such, in a case where the client requires signing, but the server does not, a MITM can downgrade the server's understanding of the client's signing capabilities, and thus cause the server to never check signatures.

History

#1

Updated by Gordon Ross about 1 month ago

  • Description updated (diff)
  • Status changed from New to In Progress
#2

Updated by Gordon Ross about 1 month ago

Fix is out for review as part of this PR:
https://github.com/illumos/illumos-gate/pull/68

#3

Updated by Electric Monk 8 days ago

  • % Done changed from 0 to 100
  • Status changed from In Progress to Closed

git commit 4ad35fa3117b4f36004f76885e267a46c738a794

commit  4ad35fa3117b4f36004f76885e267a46c738a794
Author: Matt Barden <matt.barden@nexenta.com>
Date:   2019-11-14T14:23:07.000Z

    11038 SMB2 server should require signed Validate Negotiate requests
    Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
    Reviewed by: Evan Layton <evan.layton@nexenta.com>
    Reviewed by: Andrew Stormont <astormont@racktopsystems.com>
    Approved by: Garrett D'Amore <garrett@damore.org>

Also available in: Atom PDF