SMB Zero-Day affects Windows 8, 10 and Server

Martin Brinkmann
Feb 3, 2017
Updated • Jul 5, 2017
Security, Windows Updates
|
17

The United States Computer Emergency Readiness Team (US-CERT) published a vulnerability note yesterday about a new zero-day vulnerability affecting Microsoft Windows 8, 10 and Server editions.

It reads:

Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service or potentially execute arbitrary code on a vulnerable system.

Attackers may cause a denial of service attack against affected versions of Windows by causing Windows devices to connect to a malicious SMB share. US-CERT notes that the possibility exists that the vulnerability may be exploited to execute arbitrary code with Windows kernel privileges.

Attacked systems may throw a blue-screen on successful attacks.

smb zero-day windows

The vulnerability description offers additional information:

Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. It is not clear at this point whether this vulnerability may be exploitable beyond a denial-of-service attack. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems.

US-CERT confirmed the vulnerability on fully-patched Windows 8.1 and Windows 10 client systems. Bleeping Computer notes that security researcher PythonResponder claimed that it affects Windows Server 2012 and 2016 as well.

While there is no official confirmation of that yet, it seems likely that the Server products are also affected by the vulnerability.

Severity and suggested workarounds

US-CERT classifies the vulnerability with the highest severity rating of 10 using the Common Vulnerability Scoring System (CVSS).  Factors that play a role in determining the severity of a vulnerability include whether it is remotely exploitable, and how much expertise attackers require to successfully exploit the vulnerability.

Microsoft has not released a security advisory yet, but it is probably only a matter of time before the company publishes a security advisory to inform customers about the vulnerability and mitigation options.

US-CERT recommends to block outbound SMB connections on TCP port 139 and 445, and UDP ports 137 and 138 from the local network to the WAN. to protect Windows devices.

Home user networks may be affected by the vulnerability, but WANs are not that widely used in home environments.

To find out whether your version of Windows has any SMB connections, do the following:

  1. Tap on the Windows-key, type Powershell, hold down the Ctrl and Shift keys, and hit the Enter-Key.
  2. Confirm the UAC prompt that appears.
  3. Run the command Get-SmbConnection.

We will update the article once Microsoft publishes a security advisory for the vulnerability. (via Born City)

Summary
SMB Zero-Day affects Windows 8, 10 and Server
Article Name
SMB Zero-Day affects Windows 8, 10 and Server
Description
US-CERT published a vulnerability note yesterday about a new zero-day vulnerability affecting Microsoft Windows 8, 10 and Server editions.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. PH8 said on February 8, 2017 at 7:32 pm
    Reply

    guys…try Get-SmbServerConfiguration to see in Detail what is on/off etc.

    To obtain the current state of the SMB server protocol configuration, run the following cmdlet:

    Get-SmbServerConfiguration | Select EnableSMB1Protocol,EnableSMB2Protocol

    To disable SMBv1 on the SMB server, run the following cmdlet:

    Set-SMBServerConfiguration -EnableSMB1Protocol $false

    see this link and the two links in blue on that page for what to do:
    https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices

    – Hope that helps ;-)

  2. sysop said on February 4, 2017 at 7:15 pm
    Reply

    @ Oxa: I ran it with administrator privileges. Is there some level “elevated” above that?

    Answer: ‘system’ is one, but there are hidden logons, too!

    – enjoy your microsoft experience –

  3. All Things Firefox said on February 4, 2017 at 2:16 am
    Reply

    This vulnerability has since been downgraded to 7.8, which is still bad but far from the worst possible.

  4. Sunny said on February 3, 2017 at 10:09 pm
    Reply

    Does System connect to internet for check This?

  5. Steve said on February 3, 2017 at 9:34 pm
    Reply

    This is what I got
    PS C:\Windows\system32> Get-SmbConnection
    Get-SmbConnection : The term ‘Get-SmbConnection’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name,
    or if a path was included, verify that the path is correct and try again.
    At line:1 char:1
    + Get-SmbConnection
    + ~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (Get-SmbConnection:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

  6. Yuliya said on February 3, 2017 at 7:32 pm
    Reply

    The most secure OS ever made, designed specifically for today’s connected world. So much for it.

  7. Corky said on February 3, 2017 at 7:10 pm
    Reply

    Isn’t it a bit irresponsible to go public before notifying the developer or have i missed when they notified Microsoft?

  8. Oxa said on February 3, 2017 at 5:58 pm
    Reply

    + CategoryInfo : PermissionDenied: (MSFT_SMBConnection:ROOT/Microsoft/…T_SMBConnection) [Get-SmbConnection], CimException
    + FullyQualifiedErrorId : Windows System Error 5,Get-SmbConnection

    ???

    1. Martin Brinkmann said on February 3, 2017 at 6:11 pm
      Reply

      You need to run Powershell with elevated privileges as mentioned in the guide, it won’t work otherwise.

      1. Oxa said on February 3, 2017 at 6:30 pm
        Reply

        I ran it with administrator privileges. Is there some level “elevated” above that?

  9. jern said on February 3, 2017 at 4:23 pm
    Reply

    MS suggests that Win7 is unsafe. I can’t recall any other tech company ever bad-mouthing one of its own products. I’ve never had a problem with Win7’s security. It’s a damn fine operating system and MS should be proud of it instead of bad-mouthing it.

    MS seems desperate to get users to migrate to Win10.

    1. Tom Hawack said on February 3, 2017 at 6:41 pm
      Reply

      It’s not that they seem, it’s that they are. Desperate. Considering how Win7 is doing it’s way, like a feather in a storm, I wouldn’t be surprised that the company slowly but surely softens it’s inquisitive and all-advertisement policy. Maybe the OS will then be acceptable by January 2020 when Win7 officially retires.

      Like Jason wrote above there’s no sens of getting on a party because Win10 (and 8.1) is concerned by the Zero-Day vulnerability and not Windows7, so I’ll just sit down and relax, free of triumphalism :)

  10. Henk van Setten said on February 3, 2017 at 4:18 pm
    Reply

    Martin’s Powershell command produced a blank on the 8.1 desktop PC where I tried it. So I guess that’s good.

    Still, a little more understandable info for the layman (like me) would be welcome. I take it that if you don’t use any kind of file sharing between your computer and other computers beyond your own home, then this problem doesn’t apply? Or is this putting it too simply?

    1. Mark Hazard said on February 3, 2017 at 5:31 pm
      Reply

      I got the same result on Powershell on Windows 8.1. I guess I am good.

  11. DaveyK said on February 3, 2017 at 2:16 pm
    Reply

    Good that MS advised business to dump the “inherently insecure” Windows 7 and move to Windows 10. Now remind me, which of these two OSs isn’t affected by this issue? Oh wait…

    1. Jason said on February 3, 2017 at 3:57 pm
      Reply

      If you’re making fun of Microsoft’s marketing strategy to push people to Windows 10, I agree, it’s silly – Windows 7 is at least as safe as Windows 10, and arguably more.

      But let’s be clear that Windows 7 has been affected by zero-days too. Every OS (Windows, Linux, whatever) gets them eventually. The real issue is not whether an OS has them, but whether the developers are able to patch them quickly once discovered.

      Actually I’m just wondering how many zero-days spy organizations are quietly exploiting instead of warning the general public about them….

      1. jern said on February 5, 2017 at 5:13 pm
        Reply

        I’d bet the world’s security services have a boatload of OS vulnerabilities stored away.

        Stuxnet attackers used 4 Windows zero-day exploits
        http://www.zdnet.com/article/stuxnet-attackers-used-4-windows-zero-day-exploits/

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.