Microsoft Confirms SMB2 Flaw, Heightens Severity

Microsoft has issued a formal security advisory to confirm the remote reboot flaw in its implementation of the SMB2 protocol, going a step further to warn that a successful attack could lead to remote code execution and full system takeover.

The vulnerability, which was originally released as a denial-of-service issue, does not affect the RTM version of Windows 7, Microsoft said. It appears Microsoft fixed the flaw in Windows 7 build ~7130, just after RC1. Windows Vista and Windows Server 2003 users remain at risk.

The Microsoft advisory is somewhat confusing. It mentions the plural “vulnerabilities” in the title but later warns of “a possible vulnerability in Microsoft Server Message Block (SMB) implementation.”

It is, however, very clear about the risk severity:

An attacker who successfully exploited this vulnerability could take complete control of an affected system. Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart.

Microsoft points to this CVE entry to explain the actual bug:

Array index error in the SMB2 protocol implementation in srv2.sys in Microsoft Windows 7, Server 2008, and Vista Gold, SP1, and SP2 allows remote attackers to cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location.

Proof of concept code, which allows an attacker to remotely crash any vulnerable machine with SMB enabled, is publicly available.

In the absence of patch, Microsoft recommends that users disable SMB v2 and block TCP ports 139 and 445 at the firewall.