TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | Microsoft Windows is prone to a remote code-execution vulnerability when processing the protocol headers for the Server Message Block (SMB) Negotiate Protocol Request. |
| PLATFORM: | Windows Vista all versions, Windows Server 2008 all versions |
| ABSTRACT: | Array index error in the SMB2 protocol implementation in srv2.sys allows remote attackers to cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-228.shtml |
| OTHER LINKS: |
Microsoft Website http://www.microsoft.com/technet/security/advisory/975497.mspx SANS Website http://isc.sans.org/diary.html?storyid=7093 |
| CVE: |
CVE-2009-3103 |
| IMPACT ASSESSMENT: | This risk is high. An attacker can exploit this issue to execute code with SYSTEM-level privileges; failed exploit attempts will likely cause denial-of-service conditions. |
[***** Start CVE-2009-3103 *****] Discussion: Microsoft Windows is prone to a remote code-execution vulnerability when processing the protocol headers for the Server Message Block (SMB) Negotiate Protocol Request. Reportedly, for this issue to be exploitable, file sharing must be enabled. An attacker can exploit this issue to execute code with SYSTEM-level privileges; failed exploit attempts will likely cause denial-of-service conditions. Vulnerable: * Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 * Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 * Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 * Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 * Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 The following proofs of concept are available: http://downloads.securityfocus.com/vulnerabilities/exploits/36299-2.rb http://downloads.securityfocus.com/vulnerabilities/exploits/36299-3.c http://downloads.securityfocus.com/vulnerabilities/exploits/36299-4.c http://downloads.securityfocus.com/vulnerabilities/exploits/36299-5.c http://downloads.securityfocus.com/vulnerabilities/exploits/36299.py Solution: Currently we are not aware of any vendor-supplied patches. Workaround: Disable SMB v2 To modify the registry key, perform the following steps: 1. Click Start, click Run, type Regedit in the Open box, and then click OK. 2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services 3. Click LanmanServer. 4. Click Parameters. 5. Right-click to add a new DWORD (32 bit) Value. 6. Enter smb2 in the Name data field, and change the Value data field to 0. 7. Exit. 8. Restart the "Server" service by performing one of the following: - Open up the computer management MMC, navigate to Services and Applications, click Services, right-click the Server service name and click Restart. Answer Yes in the pop-up menu. - From a command prompt and with administrator privileges, type net stop server and then net start server. Impact of workaround. Host will not be able to communicate using SMB2. Block TCP ports 139 and 445 at the firewall: These ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Impact of Workaround: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below: Applications that use SMB (CIFS) Applications that use mailslots or named pipes (RPC over SMB) Server (File and Print Sharing) Group Policy Net Logon Distributed File System (DFS) Terminal Server Licensing Print Spooler Computer Browser Remote Procedure Call Locator Fax Service Indexing Service Performance Logs and Alerts Systems Management Server License Logging Service [***** End CVE-2009-3103 *****]
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov