{"id":6496,"date":"2017-02-03T10:31:03","date_gmt":"2017-02-03T18:31:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/03\/news-325\/"},"modified":"2017-02-03T10:31:03","modified_gmt":"2017-02-03T18:31:03","slug":"news-325","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/02\/03\/news-325\/","title":{"rendered":"Zero-day Windows file-sharing flaw can crash systems, maybe worse"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt2.staticworld.net\/images\/article\/2016\/04\/bsod-1-100655532-primary.idge.jpg\"\/><\/p>\n<p><strong>Credit to Author: Lucian Constantin | Date: Fri, 03 Feb 2017 08:43:00 -0800<\/strong><\/p>\n<p> The implementation of the SMB network file sharing protocol in Windows has a serious vulnerability that could allow hackers to, at the very least, remotely crash systems. <\/p>\n<p> The unpatched vulnerability was publicly disclosed Thursday by an independent security researcher named Laurent Gaffi\u00e9, who claims that Microsoft has delayed releasing a patch for the flaw for the past three months. <\/p>\n<p> Gaffi\u00e9, known on Twitter as PythonResponder, published a proof-of-concept exploit for the vulnerability on GitHub, triggering <a href=\"https:\/\/www.kb.cert.org\/vuls\/id\/867968\" target=\"_blank\">an advisory<\/a> from the CERT Coordination Center (CERT\/CC) at Carnegie Mellon University. <\/p>\n<p> &#8220;Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service or potentially execute arbitrary code on a vulnerable system,&#8221; CERT\/CC said in the advisory. <\/p>\n<p> Microsoft&#8217;s implementation of the Server Message Block (SMB) protocol is used by Windows computers to share files and printers over a network and also handles authentication to those shared resources. <\/p>\n<p> The vulnerability affects Microsoft SMB version 3, the most recent version of the protocol. CERT\/CC has confirmed that the exploit can be used to crash fully patched versions of Windows 10 and Windows 8.1. <\/p>\n<p> An attacker can exploit the vulnerability by tricking a Windows system to connect to a malicious SMB server which would then send specially crafted responses. There are a number of techniques to force such SMB connections and some require little or no user interaction, CERT\/CC warned. <\/p>\n<p> The good news is that there are no confirmed reports of successful arbitrary code execution through this vulnerability yet. However, if this is a memory corruption issue as described by CERT\/CC, code execution might be a possibility. <\/p>\n<p> &#8220;The crashes we&#8217;ve observed so far do not manifest in a manner that suggests straight-forward code execution, but that may change, though, as we have time to analyze it more in-depth,&#8221; said Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security, via email. &#8220;This is only the initial stage of the analysis.&#8221; <\/p>\n<p> Eiram&#8217;s company also confirmed the crash on a fully patched Windows 10 system, but has yet to establish if this is just a NULL pointer dereference crash or the result of a deeper issue that could have a more severe impact. Just to be on the safe side, the company is following CERT\/CC&#8217;s lede in treating this as a potential code execution flaw. CERT\/CC scored this vulnerability&#8217;s impact with a 10, the maximum in the Common Vulnerability Scoring System (CVSS). <\/p>\n<p> Gaffi\u00e9 <a href=\"https:\/\/twitter.com\/PythonResponder\/status\/826169121045958656\" target=\"_blank\">said on Twitter<\/a> that Microsoft plans to patch this issue during its next &#8220;Patch Tuesday,&#8221; which this month will fall on February 14 &#8212; the second Tuesday of the month. However, it&#8217;s possible that Microsoft could break out of its regular patch cycle if the vulnerability is indeed critical and starts to be exploited in the wild. <\/p>\n<p> Microsoft did not immediately respond to a request for comment. <\/p>\n<p> Both CERT\/CC and Eiram advise network administrators to block outbound SMB connections &#8212; TCP ports 139 and 445 along with UDP ports 137 and 138 &#8212; from local networks to the Internet. This won&#8217;t completely eliminate the threat, but will isolate it to local networks. <\/p>\n<p><a href=\"http:\/\/www.computerworld.com\/article\/3165404\/security\/zero-day-windows-file-sharing-flaw-can-crash-systems-maybe-worse.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt2.staticworld.net\/images\/article\/2016\/04\/bsod-1-100655532-primary.idge.jpg\"\/><\/p>\n<article>\n<section class=\"page\">\n<p> The implementation of the SMB network file sharing protocol in Windows has a serious vulnerability that could allow hackers to, at the very least, remotely crash systems.<\/p>\n<p> The unpatched vulnerability was publicly disclosed Thursday by an independent security researcher named Laurent Gaffi\u00e9, who claims that Microsoft has delayed releasing a patch for the flaw for the past three months.<\/p>\n<p> Gaffi\u00e9, known on Twitter as PythonResponder, published a proof-of-concept exploit for the vulnerability on GitHub, triggering <a href=\"https:\/\/www.kb.cert.org\/vuls\/id\/867968\" target=\"_blank\">an advisory<\/a> from the CERT Coordination Center (CERT\/CC) at Carnegie Mellon University.<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3165404\/security\/zero-day-windows-file-sharing-flaw-can-crash-systems-maybe-worse.html#jump\">To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,10761],"class_list":["post-6496","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-windows-10"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6496","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6496"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6496\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6496"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6496"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6496"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}