US-CERT is warning about a Windows SMB zero-day flaw

Pierluigi Paganini February 03, 2017

The US-CERT issued a security advisory to warn of a zero-day memory corruption vulnerability in the SMB (Server Message Block) protocol that can be exploited by a remote attacker.

The US-CERT is warning of a zero-day memory corruption vulnerability in the SMB (Server Message Block) protocol that can be exploited to cause a denial of service condition or execute arbitrary code on a vulnerable system.

The flaw was publicly disclosed by @PythonResponder, who confirmed the issue affected Windows Server 2012 and 2016 versions.

The flaw resides in the way the Windows OS handles the Server Message Block traffic, the vulnerability could be remotely exploited by an unauthenticated attacker.

“Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure.” reads the advisory issued by the US-CERT. “By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2.”

SMB zero-day flaw

The vulnerability was ranked with a Common Vulnerability Scoring System (CVSS) score of 10.0.

The advisory highlights that it is possible to trigger the flaw in multiple ways once a Windows system connects to an SMB share, and some attack scenarios don’t require user interaction.

“Note that there are a number of techniques that can be used to trigger a Windows system to connect to an SMB share. Some may require little to no user interaction,” continues the advisory.

When a vulnerable Windows machine connects to a malicious SMB server, it can crash in mrxsmb20.sys.

The US-CERT confirmed the public availability of the exploit code for this vulnerability and the lack of a practical solution to the problem.

A possible workaround consists in blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.

The proof-of-concept code for this vulnerability has been published on GitHub.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Server Message Block, zero-day, hacking)

you might also like

leave a comment