| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Oct 2022 21:58:06 +0200
From: Carsten Langer <carsten.langer@....de>
To: Steve French <smfrench@...il.com>,
Thorsten Leemhuis <regressions@...mhuis.info>
Cc: Davyd McColl <davydm@...il.com>,
"lsahlber@...hat.com" <lsahlber@...hat.com>,
"stfrench@...rosoft.com" <stfrench@...rosoft.com>,
"linux-cifs@...r.kernel.org" <linux-cifs@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"regressions@...ts.linux.dev" <regressions@...ts.linux.dev>
Subject: Re: Possible regression: unable to mount CIFS 1.0 shares from older
machines since 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c
> We have been looking to see if we could setup some VMs for something
> that old, and we are willing to test against it if it could
> realistically be setup, but it has been harder than expected. Ronnie
> had some ideas and we are willing to experiment more but realistically
> it is very hard to deal with 'legacy museum style' unless we have some
> VMs available for old systems.
>
> Feel free to contact Ronnie and me or Shyam etc (offline if easier) if
> you have ideas on how to setup something like this. We don't want to
> be encouraging SMB1, but certainly not NTLMv1 auth with SMB1 given its
> security weaknesses (especially given the particular uses hackers have
> made of 25+ year old NTLMv1 weaknesses).
I would be willing to try to set up a VM for testing.
The issue was further discussed in
https://bugzilla.kernel.org/show_bug.cgi?id=215375
I think we could split the topic. The part important for me and others
affected
by this bug is that this regression introduced a protocol violation of
the SMB1
protocol, even for the case where users want to use SMB1 in guest mode,
i.e. without any authentication. At least in this case IMHO we do not need
to discuss NTLMv1 etc., but just make sure that the SMB1 protocol is
again correctly
followed for the case that no user/password is needed. That is what the
proposed patch is
about.
Thus my idea would be to set up an old-enough Samba server providing the
SMB1 protocol
(just) for guest mode, without user/password. If I could then prove that
without patch
the error against that VM occurs and with the patch it works fine, would
that be enough?
But I wonder what you understand by VM? A VirtualBox OVA file? Vmware?
Some Dockerfile
to create an image?
And as this will be a test against a simulated server in a network, are
there standard
requirements how the network is set up between test system and the VM?
- Carsten
Powered by blists - more mailing lists