Wednesday, April 7, 2021

Status of Submitted Vulnerabilities To MSRC

This list is intended to give vague information about submitted bugs, but important information about communication process and timeline.

Bug Title: Microsoft SMBv1 Disabled; Not Fully Disabled.

  • Affected software: Microsoft Servers 2019, 2016, 2012.
  • Type:Protocol Implementation Issue.
  • Submitted: 07/04/2021
  • Coordinated disclosure agreement expiration: 13/07/2021.
  • Notes and updates:

    -Complete detail was sent on 07/04/2021, ACK by MSRC on 08/04/2021.

    - MSRC ask for PoC

    - PoC sent with extra details.

    - MSRC ask to extend deadline to 13/07/2021 instead of 07/07/2021 since their July release is the 13th.

    - Agreed to MSRC's request and offer to provide more details if needed.

    - Requested update to MSRC on 16/04/2021

    - MSRC responded the 19/04/2021 and asked what is the security issue with having NetBIOS enabled by default.

    - A complete description on why it is a security concern was sent the same day.

    -  on 21/04/2021 a status update was requested.

    - MSRC answer on May 7th, and asserts multiple falsehoods about the protocol in question, referring to MSFT documentation, and states that NTLM messages are safe even when intercepted. Additionally, MSRC mention that I'm allowed to blog/disclose this issue.

    - A lengthy factual answer is sent back on May 9th, detailing the incoherence in both MSRC answer and MSFT documentation. Especially when publicly available NT4/Windows XP source code directly contradicts the said MSFT documentation. MSRC was also asked to run MultiRelay in conjunction with Responder in an A-D lab environment, and confirm if NTLM message are really that safe when intercepted. A temporary hold on disclosure was offered until the said email is assessed.

    - MSRC answers on May 10th, stating that they will review the "added submissions".

    - On may 26th, MSRC responded stating that they finally understood the issue and will be working on a fix.
  • *Check for more updates*.

 

No comments:

Post a Comment