Vulnerability in Microsoft SMBv3 protocol crashes Windows PCs

Computers running fully patched Windows 10, 8.1, Server 2012, and 2016 are hit by Blue Screens when trying to connect to an infected server

Vulnerability in Microsoft SMBv3 protocol crashes Windows PCs
Credit: Blair Hanley Frank

Security experts warn that it may be possible to exploit a vulnerability in a protocol widely used to connect Windows clients and servers to inject and execute malicious code on Windows computers.

Computers running fully patched Windows 10, 8.1, Server 2012, or 2016  that try to access an infected server will crash with a Blue Screen triggered in mrxsmb20.sys, according to a post by Günter Born on today's Born’s Tech and Windows World blog.

The vulnerability takes advantage of a buffer overflow bug in Microsoft’s SMBv3 routines. SMBv3 is the latest version of the protocol used to connect Windows clients and servers for sharing files and printers.

Proof of Concept code for the vulnerability was released on Github yesterday by @PythonResponder. There's been no response from Microsoft as yet.

There are currently no reports of this particular security hole leading to a takeover of affected computers, but US-CERT Vulnerability Note VU#867968 raises the possibility that new exploit code for the vulnerability may be able to inject and execute malicious code on Windows computers.

Johannes Ullrich posted a warning on the SANS Internet Storm Center, concluding “it isn’t clear if this is exploitable beyond a denial of service.”

US-CERT advises:

The CERT/CC is currently unaware of a practical solution to this problem... Consider blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.

Even more troubling, US-CERT gives this vulnerability a “Base” score of 10, their highest rating.

Born advises that the effect is limited on small networks:

For me, it seems that this is for companies with WANs. For small LANs I would classify the risk as low, because an attacker needs access to the network shares. Also in networks with WLAN access is WPA2 protected, so I can’t see how the exploit can be used.

The discussion continues on the AskWoody Lounge.