United States Computer Emergency Readiness (US-CERT) published a new zero-day which affects the Microsoft Windows 8, 10, and Server operating systems.
US-CERT states:
Microsoft Windows contains a memory corruption bug in handling SMB traffic, which can allow a remote intruder without authentication to cause service denial or potentially run arbitrary code on a vulnerable system.
The attackers using this Zero-Day can cause denial of service (DoS) attacks against versions of Windows that contain the bug. So vulnerable devices can connect to malicious SMB. US-CERT states that there is a possibility that the vulnerability could also be exploited to execute arbitrary code with Windows Core privileges.
The vulnerability description lists additional information:
Windows fails to handle it properly movement από ένα κακόβουλο διακομιστή. Ειδικότερα, τα Windows δεν χειρίζονται σωστά μια απάντηση διακομιστή που περιέχει πάρα πολλά bytes ακολουθώντας τη δομή που ορίζεται από το SMB2 TREE_CONNECT Response. Με τη σύνδεση σε ένα κακόβουλο διακομιστή SMB, το ευάλωτο σύστημα των Windows μπορεί εμφανίσει τη BSOD (Blue Screen of Death) με σφάλμα του Mrxsmb20.sys. Δεν είναι σαφές σε αυτό το σημείο αν αυτή η ευπάθεια μπορεί να είναι εκμεταλλεύσιμη πέρα από μια επίθεση denial-of-service. Έχουμε επιβεβαιώσει το crash με πλήρως επιδιορθωμένα συστήματα client των Windows 10 και Windows 8.1.
US-CERT has confirmed vulnerability to fully repaired Windows 8.1 and Windows 10 client systems. The Bleeping Computer website reports that PythonResponder security researcher claims that vulnerability also affects Windows Server 2012 and 2016.
There is currently no official confirmation that Windows Servers are affected by the vulnerability.
US-CERT classifies vulnerability to the highest severity rating (10), and it is worth noting that Microsoft has not released any security updates yet.
US-CERT, on the other hand, recommends blocking all outgoing connections SMB at door TCP 139 and 445, and UDP 137 and 138 from LAN to WAN.
To find out if your version of Windows has any SMB connections, do the following:
- In search, type Powershell, right-click the icon and open as administrator.
- Confirm the UAC to appear
- and run the Get-SmbConnection command.