Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft advisory for Windows 7 / Windows Server 2008 R2 Remote SMB DoS Exploit released

Published: 2009-11-14
Last Updated: 2011-02-08 23:50:51 UTC
by Adrien de Beaupre (Version: 2)
2 comment(s)

Microsoft has released an advisory for the Windows 7 / Windows Server 2008 R2 Remote SMB DoS Exploit the ISC discussed here: http://isc.sans.org/diary.html?storyid=7573. CVE-2009-3676 has been assigned to the vulnerability. The advisory is here: http://www.microsoft.com/technet/security/advisory/977544.mspx

This vulnerability is not related to MS09-050, it affects both SMBv1 and SMBv2, and is brand spanking new. Disabling SMBv2 is not an effective mitigation. The impact is strictly a Denial of Service attack, no remote code execution.

Assuming that you block TCP ports 139 and 445 the only impact would be an internal attacker could disable affected systems until restarted. In the grand scheme of things this would not be a critical issue unless all of a sudden your servers had to be rebooted on a regular basis, in that case you may have bigger problems because the fox would already be in the henhouse.

The list of affected systems is: Windows 7 for 32-bit Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems (includig Server Core), and Windows Server 2008 R2 for Itanium-based Systems.

Presumably Microsoft will release a patch in the near future, either out of band or in the next batch of 'patch Tuesday just before pray and reboot Wednesday'.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

2 comment(s)
Diary Archives