SMB2 remote exploit released

Published: 2009-09-16
Last Updated: 2009-09-16 21:15:36 UTC
by Bojan Zdrnja (Version: 1)
2 comment(s)

Last week Guy posted a diary (http://isc.sans.org/diary.html?storyid=7093) about a 0-day vulnerability in SMB2 on Windows Vista and Server 2008 operating systems. Back then the exploit only crashed affected systems.

This is already bad enough; however, it just got worse. Yesterday a well known security company added a module for their exploitation product. The module contains the remote exploit for this vulnerability – in other words, any user running this tool can get full access to affected machines.

If the exploit is stable enough, it can _very easily_ be used in a worm, so it can potentially be devastating.
So, if you are running a Windows Vista or Server 2008 machine (Windows 7 RTM is not affected, RC *is*), be sure you apply one of workarounds listed by Microsoft (they are not perfect, but they can help), available here:

  • Run a host based firewall which will block access to ports 139 and 445. Please note that the builtin firewall in Windows Vista will automatically block this traffic if your location is set to Public. In other words, if you connect to a wireless network at Starbucks and set this you will be fine, but if you are inside your organization you are probably vulnerable, unless your administrators went one step further and used group policies to properly configure your firewall.
  • Disable SMB2. This has some performance impacts, but it's nothing one can't live without until the patch is out. However, it requires modifying the registry.

We will keep an eye on the development and will update the diary as necessary.

--
Bojan

2 comment(s)

Comments

In the Microsoft Advisory, Windows Server 2008 SP1 is not listed in either Affected or Non-Affected Software. Is it vulnerable?
Going to answer my own question ;) - Windows 2008 SP1 is the same as Windows 2008 RTM (Windows 2008 was released at SP1 level) so it is affected.

Diary Archives