Exploit code for an unpatched vulnerability in Microsoft SMBv2 has been publicly released with a fix solution provided.
After being discovered on 8th September the vulnerability was initially kept private but apparently fell into the wrong hands and was made public earlier today, according to Mary Landesman, senior security researcher at ScanSafe.
She claimed that this has ‘likely escalated Microsoft's work on a patch to resolve the vulnerability'. A blog post on 18th September claimed Microsoft had ‘already completed over 10,000 separate test cases in their regression testing' and were in the process of ‘stress testing, third-party application testing and fuzzing'.
Landesman claimed that because the vulnerability exists only in v2 of SMB, Windows XP and Server 2003 (which use SMBv1) are not impacted.
Landesman said: “The good news is those who have tested the exploit claim it is only able to remotely execute code on vulnerable systems when those operating systems are run in VMware environments.
“If run on a physical machine, allegedly the public exploit code simply causes the machine to crash - admittedly a still-serious form of denial-of-service attack, but an improvement over remote code execution. If true, this lessens the likelihood of a wormable exploit (at least based on the code as it currently exists).”
Microsoft has provided mitigation advice and workarounds in Microsoft Security Advisory 975497. The United States Computer Emergency Readiness Team (US-CERT) claimed that it was ‘aware that exploit code for this vulnerability has been made publicly available as part of the Metasploit Framework'. It recommended ‘users and system administrators are strongly encouraged to apply the Microsoft Fix it solution or other workarounds until a patch is released'.
ScanSafe claimed that it is not aware of any in-the-wild exploit of the vulnerability, but was continuing to monitor the situation closely.