Microsoft Server Message Block (SMB) Vulnerability allows for Remote Code Execution
-----BEGIN PGP SIGNED MESSAGE-----
STEAM-ADVISORY NO. 2009091801
PURDUE UNIVERSITY SECURITY TEAM CIRT
Friday, September 18 16:10:00 EDT 2009
**** NOTICE ****
Update 2: Microsoft has released a "Fix-it" tool to automatically disable the SMBv2 service, which is presently the only known mitigation technique other than implementing firewall rules to block SMB traffic.
The tool can be downloaded from Microsoft's website at the following URL:
(Copy and paste link into browser)
The MS Security advisory page further down in the Further Information and Resources section has also been updated to include a link to the Fix-It tool.
Update: Microsoft Server Message Block (SMB) Vulnerability allows for DoS and arbitrary remote code execution.
A vulnerability exists in Microsoft Windows SMB2.0 that can be exploited remotely to cause system failure. Currently this exploit is unpatched but workarounds are available.
* Windows Vista SP1/SP2
* Windows Vista x64 SP1/SP2
* Windows Server 2008 SP1/SP2
* Windows Server 2008 x64 SP1/SP2
Update: Exploit code is now available which can allow for a remote attacker to execute arbitrary code.
An indexing error has been seen in the srv2.sys kernal driver of Microsoft Windows and can be exploited via specially crafted SMB packets to cause a System crash on host machines. The vulnerability is only seen in SMB2.0
* Disable SMB2.0
* Enable Firewall blocks of ports 139 and 445
==FURTHER INFORMATION AND RESOURCES==
SANS ISC Diary
Microsoft Security Advisory
w w w.microsoft.com/technet/security/advisory/975497.mspx
(copy&paste to browser and remove spaces from beginning)
Laurent Gaffie Blog
==STEAM-CIRT CONTACT INFORMATION==
For questions concerning this advisory, please send email to:
Report computer-related abuse to steam-cirt:
http://w w w .purdue.edu/securepurdue/steam (remove spaces from links)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Posted by William Harshbarger on October 02, 2009, in Advisory Alerts.