Based upon feedback received from the community, there are systems on which MS11-043 is installed on which connectivity between the SMB Redirector and the OpenAFS SMB Server continues to work successfully.
It is unclear at this point what percentage of systems are adversely affected and on which platforms. All of the systems that have reported errors are either XP or Server 2003. I have yet to receive a report about a Vista, Win7 or Server 2008 system and I have not yet had time to perform extensive testing across a range of operating system installs. When an incompatibility due to the installation of MS11-043 occurs the nbtstat -n output reports that "AFS <20>" is registered on the Microsoft Loopback adapter and there is a valid connection between the local machine name and "AFS". However, all attempts to perform a CreateFile() operation on a file or directory in \\AFS will fail with ERROR_BAD_NET_RESP "The specified server cannot perform the requested operation." This error occurs when the input packet received by the SMB Redirector fails consistency checks. Additional research is going to need to be performed on affected systems. The brand and version of anti-malware products may be playing a role. It is unclear. At this point, I would recommend testing of MS11-043 in your environment before performing a large scale rollout. Jeffrey Altman On 6/16/2011 10:40 AM, Jeffrey Altman wrote: > Please be aware that this past Tuesday Microsoft pushed out a Security > Fix for the Microsoft SMB Redirector for all versions of Windows back to > XP and Server 2003. This hot fix, MS11-043, patches a critical > vulnerability in the SMB Redirector that can result in Remote Code > Execution. As a result I cannot recommend that this hot fix not be > applied. MS11-043 replaces MS11-019 and MS10-020. > > https://www.microsoft.com/technet/security/bulletin/ms11-043.mspx > > MS11-043 when applied will break the OpenAFS Client. The SMB protocol > responses issued by the OpenAFS SMB server implementation do not pass > the validation checks now imposed by the Microsoft SMB redirector. > > At this time I have no knowledge of what changes were made to the > Microsoft SMB redirector and in what manner the OpenAFS SMB Server > responses are invalid. > > The OpenAFS IFS implementation is not quite ready for broad production > use but it may be the only option available to the community at this time. > > Further information to follow on a possible rushed release cycle for the > IFS functionality to the general public in its current state. > > Jeffrey Altman >
signature.asc
Description: OpenPGP digital signature
