Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Microsoft Windows SMB Tree Connect Response denial of service vulnerability (Update)

straycat19

By straycat19
in Security & Privacy News

Recommended Posts

straycat19

straycat19

Posted
Posted

Krebs on Security Released the following information on this vulnerability:

 

Vulnerability Note VU#867968

Microsoft Windows SMB Tree Connect Response denial of service vulnerability

Original Release date: 02 Feb 2017 | Last revised: 03 Feb 2017

Overview

Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system.

Description

Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2.

Note that there are a number of techniques that can be used to trigger a Windows system to connect to an SMB share. Some may require little to no user interaction.

Exploit code for this vulnerability is publicly available.

Impact

By causing a Windows system to connect to a malicious SMB share, a remote attacker may be able to cause a denial of service by crashing Windows.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds:

Block outbound SMB

Consider blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.

 

 

Sans released the following note on the delay of the February Updates because of this specific vulnerability which Microsoft had not been able to satisfactorily fix.

 

Microsoft product security updates originally scheduled for release on February 14, 2017 will be included in the March 14, 2017 batch instead. Microsoft made the decision to delay the release due to "a last minute issue that could impact some customers." Users had been expecting a fix for a zero-day Windows SMB vulnerability that has been exploited in the wild. CERT has suggested a workaround for the issue in its Vulnerability Note.

 

John Pescatore made the following comment after the RSA Conference:

 

Microsoft made the right decision: one bad patch that disrupts business operations can be a huge setback in making progress to shorten the time between patches come out and when operational systems are updated. The irony is that this announcement came on the same day that Microsoft President Brad Smith was speaking at the RSA Conference, where he never once mentioned anything Microsoft was doing to increase the quality of patches, let alone have a month (or more) with no patches...

 

Krebs Source

 

Microsoft Blog

 

Arstechnica Article

Link to comment
Share on other sites
  • Views 317
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...