The United States Computer Emergency Readiness Team (US-CERT) is warning about a 0-day memory vulnerability in the SMB (Server Message Block). The organization issued an advisory last week to alert computer users about the threat.
According to the report, the faulty code can be used to launch denial of service attacks and execute an arbitrary code on the targeted system. The vulnerability is located within the code string for handling the SMB traffic.
The 0-day vulnerability was first reported by security researcher PythonResponder. He stated that the Windows Server 2012 and 2016 versions are also susceptible to the attacks. A proof-of-concept code was published on GitHub. The exploit was given a base Common Vulnerability Scoring System (CVSS) score of 10.0.
SMB (called Common Internet File System, or CIFS, in previous Windows versions) is a network protocol which handles the accessibility to system resources, external devices, and communication networks. This includes files, printers, and serial ports. The protocol also manages communications between local network nodes and provides an authenticated inter-process communication mechanism.
US-CERT experts explain that the attacks result from the system being overloaded. Certain Windows versions are unable to process server responses which contain too many bytes following the SMB2 TREE_CONNECT response structure. When a vulnerable Windows OS connects to an attack SMB server, it crashes in mrxsbm20.sys. A blue screen of death (BSOD) error message appears upon establishing the connection to the malicious server.
The 0-day vulnerability is still being examined. The advisory states that while the weakness has only been confirmed to launch denial of service attacks, it has not been analyzed completely. There is a possibility that it could be used for other exploits. Experts estimate that the vulnerability can allow attackers to execute an arbitrary code with Windows kernel privileges.
The advisory notes which system versions are vulnerable and elaborates how the attacks work.
“We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems. Note that there are a number of techniques that can be used to trigger a Windows system to connect to an SMB share. Some may require little to no user interaction,” US-CERT explained.
While the exploit code has been identified, a solution is yet to be devised. A proposed fix is to block outbound SMB connections (TCP ports 139 and 445; UDP ports 137 and 138) from the local network to the WAN.
