New Windows SMB Zero-Day Leads to Denial of Service on Vulnerable Systems
Last Thursday, February 2, the United States Computer Emergency Readiness Team (US-CERT) released a security advisory detailing a memory corruption bug affecting several Windows operating systems that, when exploited by an unauthorized party, could remotely cause a denial of service (DoS) on a vulnerable system by crashing it.
The zero-day was found in the handling of Server Message Block (SMB) traffic that affects Windows 10, 8.1, Server 2012, and Server 2016. The SMB protocol is a network file-sharing protocol primarily used in providing shared access to files, printers, serial ports, and other miscellaneous communications between nodes found in a network.
US-CERT notes, “Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure.” This means that when a vulnerable system connects to a malicious SMB server, it may eventually crash and be rendered inaccessible.
US-CERT confirmed how the security hole could lead to the denial of service on a vulnerable system. Apart from this, the bug also leaves a system open to remote arbitrary code execution by an attacker. As of this writing, no incident involving this scenario has yet to be recorded. A Proof of Concept code was made publicly available by security researcher Laurent Gaffié (@PythonResponder), who took to Twitter the existence of the SMB zero-day.
Upon discovery, the bug was initially graded with a severity level of 10 out of 10, which means that the vulnerability could easily be exploited even by untrained perpetrators. Not long after, this rating was lowered to a 7.8.
To exploit the vulnerability, an attacker would have to rely on social engineering tactics to get a user to connect to a malicious SMB server, commonly done by luring a victim to click on a malicious link and connect to a remote SMB server, which would then result to the blue screen of death (BSoD).
Trend Micro Deep Security shields networks through the Deep Packet Inspection (DPI) rule:
1008138- Microsoft Windows SMB Tree Connect Response Denial Of Service Vulnerability (CVE-2017-0016)
TippingPoint also protects networks from attacks exploiting these vulnerabilities with the following MainlineDV filter:
26893: SMB: Microsoft Windows mrxsmb20.dll Denial-of-Service Vulnerability
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.