Security Experts:

Windows SMB 0-Day Exposes Systems to Attacks

A 0-day memory corruption vulnerability discovered in the SMB (Server Message Block) protocol can be exploited to cause denial of service or potentially execute arbitrary code on a vulnerable system.

According to the United States Computer Emergency Readiness Team (US-CERT), which has already published an advisory on the matter, the bug resides in the manner in which Windows handles SMB traffic and can be exploited by remote, unauthenticated attackers for nefarious purposes.

SMB (one of its versions was also known as Common Internet File System, or CIFS), operates as an application-layer network protocol designed to allow machines to access files, printers, serial ports, and miscellaneous communications between nodes on a local network, while also offering an authenticated inter-process communication mechanism.

According to US-CERT, the Windows platform fails to properly handle a server response containing too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. Thus, when a vulnerable Windows client system connects to a malicious SMB server, it can crash (Black Screen of Death or BSOD) in mrxsmb20.sys.

The advisory also notes that the vulnerability has been already confirmed as being exploitable in denial of service attacks, but that it’s not clear whether it could be exploited further. By exploiting the vulnerability, an attacker might also be able to execute arbitrary code with Windows kernel privileges, US-CERT warns.

“We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems. Note that there are a number of techniques that can be used to trigger a Windows system to connect to an SMB share. Some may require little to no user interaction,” the advisory also notes.

With exploit code for the vulnerability already publicly available but no practical solution to this problem known at this time, suggested workarounds include blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.

The vulnerability has a base Common Vulnerability Scoring System (CVSS) score of 10.0. It has been publicly reported by @PythonResponder, who says that Windows Server 2012 and 2016 versions are also affected. Proof-of-concept code has been published on GitHub.

Related: Microsoft Patches Windows Zero-Day Exploited by Russian Hackers

Related: Google Discloses Windows Zero-Day Vulnerability

Related: Windows Zero-Day Exploited by "FruityArmor" APT Group

view counter