United States Computer Emergency Readiness (US-CERT) published a new zero-day which affects the Microsoft Windows 8, 10, and Server operating systems.
US-CERT states:
Microsoft Windows contains a memory corruption bug in handling SMB traffic, which can allow a remote intruder without authentication to cause service denial or potentially run arbitrary code on a vulnerable system.
Attackers using this particular Zero-Day can launch denial of service (DoS) attacks against versions of Windows that contain the bug. So the vulnerable Appliances μπορούν να συνδεθούν σε κακόβουλα SMB. Η US-CERT αναφέρει ότι υπάρχει η πιθανότητα η ευπάθεια να μπορεί να αξιοποιηθεί και για την εκτέλεση αυθαίρετου κώδικα με προνόμια του Windows Core.
The vulnerability description reports additional information:
Windows fails to handle traffic correctly from a malicious server. In particular, Windows does not correctly handle a server response that contains too many bytes following the structure specified by the SMB2 TREE_CONNECT Response. By connecting to a malicious SMB server, the vulnerable Windows system may display the BSOD (Blue Screen of Death) error with Mrxsmb20.sys. It is unclear at this point whether this vulnerability can be exploitable beyond a denial-of-service attack. We have confirmed crash with fully-repaired Windows 10 and Windows 8.1 client systems.
US-CERT has confirmed vulnerability to fully repaired Windows 8.1 and Windows 10 client systems. The Bleeping Computer website reports that PythonResponder security researcher claims that vulnerability also affects Windows Server 2012 and 2016.
There is currently no official confirmation that Windows Servers are affected by the vulnerability.
US-CERT ranks the vulnerability at the highest severity score (10), and it's worth noting that Microsoft has not released any information security still.
US-CERT, on the other hand, recommends blocking all outgoing connections SMB on the TCP port 139 and 445, and UDP 137 and 138 from the local WAN network.
To find out if your version of Windows has any SMB connections, do the following:
- In search, type Powershell, right-click the icon and open as administrator.
- Confirm the UAC to appear
- and run the Get-SmbConnection command.