straycat19 Posted February 21, 2017 Share Posted February 21, 2017 Krebs on Security Released the following information on this vulnerability: Vulnerability Note VU#867968 Microsoft Windows SMB Tree Connect Response denial of service vulnerability Original Release date: 02 Feb 2017 | Last revised: 03 Feb 2017 Print Document Tweet Like Me Share Overview Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system. Description Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2. Note that there are a number of techniques that can be used to trigger a Windows system to connect to an SMB share. Some may require little to no user interaction. Exploit code for this vulnerability is publicly available. Impact By causing a Windows system to connect to a malicious SMB share, a remote attacker may be able to cause a denial of service by crashing Windows. Solution The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds: Block outbound SMB Consider blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. Sans released the following note on the delay of the February Updates because of this specific vulnerability which Microsoft had not been able to satisfactorily fix. Microsoft product security updates originally scheduled for release on February 14, 2017 will be included in the March 14, 2017 batch instead. Microsoft made the decision to delay the release due to "a last minute issue that could impact some customers." Users had been expecting a fix for a zero-day Windows SMB vulnerability that has been exploited in the wild. CERT has suggested a workaround for the issue in its Vulnerability Note. John Pescatore made the following comment after the RSA Conference: Microsoft made the right decision: one bad patch that disrupts business operations can be a huge setback in making progress to shorten the time between patches come out and when operational systems are updated. The irony is that this announcement came on the same day that Microsoft President Brad Smith was speaking at the RSA Conference, where he never once mentioned anything Microsoft was doing to increase the quality of patches, let alone have a month (or more) with no patches... Krebs Source Microsoft Blog Arstechnica Article Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.