Upgrading to SGOS 6.6.4.x can sometimes break IWA Direct if SMB signing is disabled on the domain controller
Article ID: 169153
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
After an upgrade to SGOS 6.6.4.x or later, the proxy fails to establish a secure channel when SMB signing is disabled on the domain controller (DC) in IWA Direct.
Cause
When the ProxySG appliance tries to establish a secure channel with the DC in IWA Direct, it must involve SMB signing when trying to establish a secure channel. This change of behavior was due to the Badlock vulnerability (CVE-2016-2115 and CVE-20162118).
In SGOS 6.6.4.x, the proxy requires SMB signing. In versions prior to 6.6.4.x, there was no requirement for SMB signing. As a result, upon upgrading to 6.6.4.x, the proxy fails to establish the secure channel if SMB signing was disabled prior to upgrade.
A packet capture shows that when the proxy sends the SMB request, the flag for "Security Signatures Required" is set to "1", which means SMB signing is required.
In SGOS 6.6.4.x, the proxy requires SMB signing. In versions prior to 6.6.4.x, there was no requirement for SMB signing. As a result, upon upgrading to 6.6.4.x, the proxy fails to establish the secure channel if SMB signing was disabled prior to upgrade.
A packet capture shows that when the proxy sends the SMB request, the flag for "Security Signatures Required" is set to "1", which means SMB signing is required.
No. Time Source Destination SrcPrt DstPrt Protocol Length Info 712 37.837828 x.x.x.x y.y.y.y 1358 445 SMB 117 Negotiate Protocol Request
SMB (Server Message Block Protocol)
...<skipped>...
Flags2: 0xc853, Unicode Strings, Error Code Type, Extended Security Negotiation, Long Names Used, Security Signatures Required, Extended Attributes, Long Names Allowed
...<skipped>...
.... .... ...1 .... = Security Signatures Required: Security signatures are required
Resolution
Enable SMB signing on the DC.
Feedback
Yes
No
Powered by
