|| Hotline : 800 2378 ||  To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu ||  To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||
    Constituency
    Authority
    Vol. 2, Feb 2012
    Vol. 1, Oct 2011
    World CERTs
    Email Abuse
 
 
Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University
 
 
 
 
 
 
 
 
 
 
 
 


   
 

CERT-MU Vulnerability Note VN-2009-30

Microsoft Windows Server Message Block ( SMB) Denial of Service Vulnerability

Original Issue Date: November 16, 2009

Severity Rating: High

Affected Softwares

  • Windows 7 for 32-bit Systems
  • Windows 7 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for Itanium-based Systems

Overview

A zero day vulnerability has been reported in Microsoft Server Message Block (SMB) implementation.

Successful exploitation allows an attacker to cause Denial of service (DOS) condition in the affected systems. Legitimate users of that system could lose access to system resources until it can be restarted.

Description

Microsoft Server Message Block (SMB) is a Microsoft network file sharing protocol.

The SMBv2 protocol is a major revision of the existing SMB protocol and is only supported on computers running Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

SMBv2 requires both the client and server support which is decided during the negotiation phase. If not, SMB v1 is chosen for subsequent communication.

The vulnerability is due to the Server Message Block (SMB) protocol software insufficiently validating all fields when parsing specially crafted SMB response packets with NetBIOS header with an incorrect length (4 bytes smaller or more than SMB packet)value which leads to an infinite loop condition and kernel crash.

An attacker can exploit this vulnerability by tricking a user to visit a website which will force an SMB connection to a malicious SMB server or through compromised Web sites and Web sites that accept or host user-provided content.

NOTE:
• Proof-of-concept code to exploit is publicly available.
• Both SMB v1 and SMB v2 are affected .

Workaround

  • Block TCP ports 139, 445 at the firewall

For detailed steps and impact of applying these workarounds refer to Microsoft security
Advisory 977544

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/advisory/977544.mspx

CVE Name
CVE-2009-3676

References

Microsoft
http://www.microsoft.com/technet/security/advisory/977544.mspx
http://msdn.microsoft.com/en-us/library/aa365233(vs.85).aspx
http://www.microsoft.com/security/pypc.aspx
http://go.microsoft.com/fwlink/?LinkId=21312

ISC SANS
http://isc.sans.org/diary.html?storyid=7597
http://isc.sans.org/diary.html?storyid=7573

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=19173

VUPEN
http://www.vupen.com/english/advisories/2009/3216

Securityfocus
http://www.securityfocus.com/bid/36989

Secunia
http://secunia.com/advisories/37347/

Laurent gaffe Blog
http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

  
 
News & Events
Safer Internet Day 2012
Computer Security Day 2011
Workshop on Cloud Security
Workshop on Mobile Security
Certificate Award Ceremony for Trainings in Information Security Management
  more...
 
Virus Alerts
RSS Feed
Subscribe Mailing List
 
 
 

Last Updated 20-Jul-2011
Disclaimer Maintained & Hosted by NCB
This site is best viewed in 1024 x 768 resolution. Internet Explorer 6.0 +