US-CERT is warning about a Windows SMB zero-day flaw

The US-CERT issued a security advisory to warn of a zero-day memory corruption vulnerability in the SMB (Server Message Block) protocol that can be exploited by a remote attacker.

The US-CERT is warning of a zero-day memory corruption vulnerability in the SMB (Server Message Block) protocol that can be exploited to cause a denial of service condition or execute arbitrary code on a vulnerable system.

The flaw was publicly disclosed by @PythonResponder, who confirmed the issue affected Windows Server 2012 and 2016 versions.

The flaw resides in the way the Windows OS handles the Server Message Block traffic, the vulnerability could be remotely exploited by an unauthenticated attacker.

“Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure.” reads the advisory issued by the US-CERT. “By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2.”

The vulnerability was ranked with a Common Vulnerability Scoring System (CVSS) score of 10.0.

The advisory highlights that it is possible to trigger the flaw in multiple ways once a Windows system connects to an SMB share, and some attack scenarios don’t require user interaction.

“Note that there are a number of techniques that can be used to trigger a Windows system to connect to an SMB share. Some may require little to no user interaction,” continues the advisory.

When a vulnerable Windows machine connects to a malicious SMB server, it can crash in mrxsmb20.sys.

The US-CERT confirmed the public availability of the exploit code for this vulnerability and the lack of a practical solution to the problem.

A possible workaround consists in blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.

The proof-of-concept code for this vulnerability has been published on GitHub.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Server Message Block, zero-day, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.