On February 2 (Beijing Time), GitHub disclosed the remote attack zero-day vulnerability in Windows SMBv3. The published proof of concept (PoC) indicates that an attacker can trigger this vulnerability by enticing the client to initiate an SMB request by means of a simulated SMB server. The attacker can also insert a malicious SMB response in man-in-the-middle mode to cause a denial of service, resulting in a blue screen of death (BSoD) and crash of the affected system. Then, the system undergoes shutdown and restart.
So far, Microsoft has not published an announcement on this vulnerability, and the patch release time is unknown for the moment.
See the following for more information about the vulnerability.
Windows SMBv3 remote Denial of Service 0day vulnerability
This vulnerability exists in the SMB client (
mrxsmb20.sys). The published PoC indicates that successful exploits may cause BSoD of the operating system. An attacker can trigger this vulnerability over a remote port such as Ports 139 and 445, by initiating a man-in-the-middle attack, or by enticing users to click an email, file, or webpage that contains a UNC path, causing BSoD and shutdown of the server.
Condition and method of exploitation
Windows Server 2012/2016, Windows 8/8.1, and Windows 10
According to the test and verification performed by the Alibaba Cloud Security Team, Windows Server 2012 is affected by this vulnerability.
How to fix or mitigate
Because the attack method has been made public and no patch is available for the moment, we recommend that users on the cloud adopt the following two measures to mitigate security risks:
Do not access untrusted SMB servers unless necessary.
Block TCP Ports 139 and 445 on the firewall, and block inbound and outbound SMB traffic by means of security group policies to avoid the security risks caused by this vulnerability.