Last Thursday, February 2, the United States Computer Emergency Readiness Team (US-CERT) released a security advisory detailing a memory corruption bug affecting several Windows operating systems that, when exploited by an unauthorized party, could remotely cause a denial of service (DoS) on a vulnerable system by crashing it.
The zero-day was found in the handling of Server Message Block (SMB) traffic that affects Windows 10, 8.1, Server 2012, and Server 2016. The SMB protocol is a network file-sharing protocol primarily used in providing shared access to files, printers, serial ports, and other miscellaneous communications between nodes found in a network.
US-CERT notes, “Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure.” This means that when a vulnerable system connects to a malicious SMB server, it may eventually crash and be rendered inaccessible.
US-CERT confirmed how the security hole could lead to the denial of service on a vulnerable system. Apart from this, the bug also leaves a system open to remote arbitrary code execution by an attacker. As of this writing, no incident involving this scenario has yet to be recorded. A Proof of Concept code was made publicly available by security researcher Laurent Gaffié (@PythonResponder), who took to Twitter the existence of the SMB zero-day.
Upon discovery, the bug was initially graded with a severity level of 10 out of 10, which means that the vulnerability could easily be exploited even by untrained perpetrators. Not long after, this rating was lowered to a 7.8.
To exploit the vulnerability, an attacker would have to rely on social engineering tactics to get a user to connect to a malicious SMB server, commonly done by luring a victim to click on a malicious link and connect to a remote SMB server, which would then result to the blue screen of death (BSoD).
Currently, US-CERT shares that no known solution for this vulnerability is available. However, they issued recommendations directed at sysadmins to block outbound SMB connections from the local network to the WAN, particularly TCP ports 139 and 445 along with UDP ports 137 and 138. This workaround will block users from connecting to any web-based SMB servers, which ultimately diminishes any possibility for an exploit. It was also noted that Microsoft will include a patch to this vulnerability in the upcoming Patch Tuesday updates slated for release on February 14. Trend Micro Deep Security shields networks through the Deep Packet Inspection (DPI) rule:
1008138-Microsoft Windows Stack Overflow Remote Code Execution Vulnerability