Zero day Windows SMB network file sharing bug may lead to DoS and BSOD

News by Rene Millman

Admins must wait until Patch Tuesday for Microsoft to fix a memory corruption bug that could enable an attacker to leverage SMB to crash computers.

A publicly disclosed flaw in SMB network file sharing, affecting all currently supported versions of Windows, will not be fixed until the next round of Patch Tuesday updates.

The flaw in the Server Message Block (SMB) triggered a security advisory from the US CERT Coordination Center (CERT/CC) at Carnegie Mellon University.

"Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service or potentially execute arbitrary code on a vulnerable system," the organisation said.

It added that Microsoft Windows fails to properly handle traffic from a malicious server.

“In particular, Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys,” the advisory added.

The organisation said that that there are several techniques that can be used to trigger a Windows system to connect to an SMB share and that some may require little to no user interaction.

Independent security researcher Laurent Gaffié, who originally discovered the bug, said on Twitter that Microsoft won't patch the flaw until 14 February, when Patch Tuesday next occurs.

US CERT said that as a workaround, organisations could block outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.

David Kennerley, director of threat research at Webroot, told SC Media UK that the flaw could result in a hacker mounting a simple DoS-style attack.

“A user would need to somehow connect to an attacker's SMB server, possibly through a phishing link. If an attacker can get a user to click on a link within an email, they are more likely to want to target them with an exploit that would give them some sort of privilege escalation, rather than just denial of service. Admins should always look to patch vulnerabilities as soon as possible, but it's unlikely that this vulnerability will be targeted by attackers,” he said.

Mark James, security specialist at ESET, told SC that the threat needs to be taken “very seriously”.

“The IT systems administrator's job these days is not an easy task with so many tools being made available that at one time would require a good degree of coding knowledge to deliver can now be rented, purchased or freely downloaded from the internet,” he said.

Gavin Millard, EMEA technical director of Tenable Network Security, told SC that with the proof of concept available on Github, it's not going to take long for pranksters to take advantage of the bug and reboot machines by encouraging users to visit sites hosting the code.

“Luckily most enterprises don't allow SMB calls outbound (ports 137,138,139 and 445), which stops users from connecting to malicious SMB servers. For smaller businesses and home users though, you generally find SoHo routers do allow the traffic through, which could easily lead to a reboot,” he said.

Crime & Threats

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop