Login   |   Secure Purdue > News

Microsoft Server Message Block (SMB) Vulnerability allows for Remote Code Execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

STEAM-ADVISORY NO. 2009091801
PURDUE UNIVERSITY SECURITY TEAM CIRT
Friday, September 18 16:10:00 EDT 2009

**** NOTICE ****
Update 2: Microsoft has released a "Fix-it" tool to automatically disable the SMBv2 service, which is presently the only known mitigation technique other than implementing firewall rules to block SMB traffic.
The tool can be downloaded from Microsoft's website at the following URL:

support.microsoft.com/kb/975497

(Copy and paste link into browser)

The MS Security advisory page further down in the Further Information and Resources section has also been updated to include a link to the Fix-It tool.

Update: Microsoft Server Message Block (SMB) Vulnerability allows for DoS and arbitrary remote code execution.

****************

==OVERVIEW==

A vulnerability exists in Microsoft Windows SMB2.0 that can be exploited remotely to cause system failure.  Currently this exploit is unpatched but workarounds are available.

==SYSTEMS AFFECTED==

 * Windows Vista SP1/SP2
 * Windows Vista x64 SP1/SP2
 * Windows Server 2008 SP1/SP2
 * Windows Server 2008 x64 SP1/SP2

==DETAILS==
Update: Exploit code is now available which can allow for a remote attacker to execute arbitrary code.

An indexing error has been seen in the srv2.sys kernal driver of Microsoft Windows and can be exploited via specially crafted SMB packets to cause a System crash on host machines.  The vulnerability is only seen in SMB2.0

==SOLUTIONS==

 * Disable SMB2.0
 * Enable Firewall blocks of ports 139 and 445

==FURTHER INFORMATION AND RESOURCES==
SANS ISC Diary
isc.sans.org/diary.html?date=2009-09-16

Microsoft Security Advisory
w w w.microsoft.com/technet/security/advisory/975497.mspx
(copy&paste to browser and remove spaces from beginning)

Laurent Gaffie Blog
g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html

Secunia Advisory
secunia.com/advisories/36623/

==STEAM-CIRT CONTACT INFORMATION==

For questions concerning this advisory, please send email to:
  itap-securityhelp@purdue.edu.

Report computer-related abuse to steam-cirt:
   http://w w w .purdue.edu/securePurdue/incidentReportForm.cfm

http://w w w .purdue.edu/securepurdue/steam (remove spaces from links)

- --
STEAM-CIRT
Purdue University
abuse@purdue.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqz6PgACgkQZdQ6N4Q+xkP4gwCgq6w8ZAir/0z+tH/KShQlis1F
0IoAni7/PUl4j3hG3TeYHBpwTwcJ7Vcr
=hFTr
-----END PGP SIGNATURE-----

Posted by William Harshbarger on October 02, 2009, in Advisory Alerts.