SMB connections from non-Microsoft clients may fail after applying security update MS11-014

Are you having problems connecting from non-windows SMB clients to Windows 2003 servers after installing the Microsoft Security Bulletin MS11-014 – Important Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege (2478960) security patch?

 

Third-party SMB client software including but not limited to NetApp filers, Samba v3.0.22, and Vintela/Quest Authentication Services (VAS\QAS) clients may have a dependency on a field that was removed. Client software with this dependency will abort SMB session setup attempts after the negotiate response is received from the server. This problem occurs because the QFE version of the security update has an unexpected interaction with an encapsulated hotfix that causes the negotiate hint to be dropped from the negotiate protocol response. This is an optional field per RFC 4178 and is not required for Windows clients to perform negotiation correctly; however third-party SMB clients may have a dependency on this field.

 

We have confirmed that customers using earlier versions of the Samba smbclient (version 3.0.11 and earlier) and VAS\QAS clients (prior to 3.5.2.80) may experience problems. Customers running older versions of NetApp filers may experience problems if those filers are acting as SMB clients. Customers running VAS\QAS clients on Unix file servers may also experience this issue.

 

Below you will see an example network trace of the situation that may occur:

 

UNIX server with VAS Client = 192.168.1.100

Windows 2003 Server w/ MS11-014 = 192.168.1.123

 

Source IP

Destination IP

Protocol

Description

192.168.1.100

192.168.1.123

TCP

61603 > microsoft-ds [SYN] Seq=0

Win=16384 Len=0 MSS=1460

192.168.1.123

192.168.1.100

TCP

microsoft-ds > 61603 [SYN, ACK] Seq=0

Ack=1 Win=64240 Len=0 MSS=1460

192.168.1.100

192.168.1.123

TCP

61603 > microsoft-ds [ACK] Seq=1

Ack=1 Win=17520 Len=0

192.168.1.100

192.168.1.123

SMB

Negotiate Protocol Request

192.168.1.123

192.168.1.100

SMB

Negotiate Protocol Response

192.168.1.100

192.168.1.123

TCP

61603 > microsoft-ds [FIN, ACK] Seq=63

Ack=154 Win=17520 Len=0

192.168.1.123

192.168.1.100

TCP

microsoft-ds > 61603 [FIN, ACK] Seq=154

Ack=64 Win=64178 Len=0

192.168.1.100

192.168.1.123

TCP

61603 > microsoft-ds [ACK] Seq=64

Ack=155 Win=17520 Len=0

 

Many third-party vendors have removed this dependency in recent updates. Later versions of the software listed above have been used to work around the problem. As a workaround, customers should contact their software vendors to see if an updated version of their client software is available.