lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 30 Jun 2005 11:04:07 -0700
From: gerald <geraldf@...ternsaw.com>
To: bugtraq@...urityfocus.com
Subject: Anyone else having serious repercussions from applying W2k sp4 se
	curity rollup patch?


Hi,all;

Has anyone else had serious trouble after applying Security rollup patch for
w2k server sp4?

Immediately after applying patch, DNS zones disappeared and all file
replication between DCs was terminated.  Enforced replication was prevented
with "Access denied" message.  DCs just stopped talking to each other.
Appears to be a Kerberos problem.  I guess this puts a new definition to the
term "ROLLUP".

ONLY solution thus far is to do an FSMO role seize off all DCs other than
one DC running DNS (very difficult because of "Access denied " status).
Then each stripped DC, which will only respond to the Dcpromo /forced, is
demoted to standalone status (Dcpromo for demotion will not work).  Have to
use "ADSI edit"  and "Metadata cleanup" to purge Active Directory of
references to former DCs.

Stripped all former DCs and rebuilt, then rejoined the domain and ran
Dcpromo on all.

MSFT assisted in the recovery.  Noone seems to know what happened, but we
can damn close to a total network loss due to one patch.  They tried
regenerating Kerberos tickets and reestablishing the secure channel...no
luck..."Access denied" was the only response.

The only thing I saw out of the ordinary was after applying the patch and
rebooting, about 5 minutes later the DC which was the DNS server
spontaneously rebooted.  No core dump, just a mystery reboot.  When it can
back up, the Network was hosed.

I have avoided all prior snafus with MSFT service packs and patches since
the days of NT3.5 by hanging back a little and watching for warnings on
Bugtrac.  Got nailed good this time.  So this is my turn to sound the
warning and give payback to all who have kept me out of trouble in the past
by taking the time in the midst of a crisis to post.  

Lesson learned:  when dealing with MSFT, there is no such thing as a trivial
service pack or patch.  

I guess that's why they pay us the big bucks...to recover from what hackers,
users, power surges, or vendors (and even sometimes ourselves ;--)  do to
our networks.  Ya gotta love this job!

gerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ