edit-icon download-icon

[Vulnerability notice] Windows SMBv3 remote Denial of Service 0day vulnerability

Last Updated: Mar 19, 2018

On February 2 (Beijing Time), GitHub disclosed the remote attack zero-day vulnerability in Windows SMBv3. The published proof of concept (PoC) indicates that an attacker can trigger this vulnerability by enticing the client to initiate an SMB request by means of a simulated SMB server. The attacker can also insert a malicious SMB response in man-in-the-middle mode to cause a denial of service, resulting in a blue screen of death (BSoD) and crash of the affected system. Then, the system undergoes shutdown and restart.

So far, Microsoft has not published an announcement on this vulnerability, and the patch release time is unknown for the moment.

See the following for more information about the vulnerability.


CVE identifier

None

Vulnerability name

Windows SMBv3 remote Denial of Service 0day vulnerability

Vulnerability rating

None

Vulnerability description

This vulnerability exists in the SMB client (mrxsmb20.sys). The published PoC indicates that successful exploits may cause BSoD of the operating system. An attacker can trigger this vulnerability over a remote port such as Ports 139 and 445, by initiating a man-in-the-middle attack, or by enticing users to click an email, file, or webpage that contains a UNC path, causing BSoD and shutdown of the server.

Condition and method of exploitation

Remote exploitation.

Affected scope

Windows Server 2012/2016, Windows 8/8.1, and Windows 10

According to the test and verification performed by the Alibaba Cloud Security Team, Windows Server 2012 is affected by this vulnerability.

Vulnerability detection

None

How to fix or mitigate

Because the attack method has been made public and no patch is available for the moment, we recommend that users on the cloud adopt the following two measures to mitigate security risks:

  • Do not access untrusted SMB servers unless necessary.

  • Block TCP Ports 139 and 445 on the firewall, and block inbound and outbound SMB traffic by means of security group policies to avoid the security risks caused by this vulnerability.

Reference

[1]. https://www.theregister.co.uk/2017/02/04/windows_flaw_adds_crashing_as_a_service/?mt=148619518653

Thank you! We've received your feedback.