U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

US-CERT is warning about a Windows SMB zero-day flaw

The US-CERT issued a security advisory to warn of a zero-day memory corruption vulnerability in the SMB (Server Message Block) protocol that can be exploited by a remote attacker. The US-CERT is warning of a zero-day memory corruption vulnerability in the SMB (Server Message Block) protocol that can be exploited to cause a denial of service condition or […]

zero-day

The US-CERT issued a security advisory to warn of a zero-day memory corruption vulnerability in the SMB (Server Message Block) protocol that can be exploited by a remote attacker.

The US-CERT is warning of a zero-day memory corruption vulnerability in the SMB (Server Message Block) protocol that can be exploited to cause a denial of service condition or execute arbitrary code on a vulnerable system.

The flaw was publicly disclosed by @PythonResponder, who confirmed the issue affected Windows Server 2012 and 2016 versions.

https://twitter.com/PythonResponder/status/826169121045958656

The flaw resides in the way the Windows OS handles the Server Message Block traffic, the vulnerability could be remotely exploited by an unauthenticated attacker.

“Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure.” reads the advisory issued by the US-CERT. “By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2.”

SMB zero-day flaw

The vulnerability was ranked with a Common Vulnerability Scoring System (CVSS) score of 10.0.

The advisory highlights that it is possible to trigger the flaw in multiple ways once a Windows system connects to an SMB share, and some attack scenarios don’t require user interaction.

“Note that there are a number of techniques that can be used to trigger a Windows system to connect to an SMB share. Some may require little to no user interaction,” continues the advisory.

When a vulnerable Windows machine connects to a malicious SMB server, it can crash in mrxsmb20.sys.

The US-CERT confirmed the public availability of the exploit code for this vulnerability and the lack of a practical solution to the problem.

A possible workaround consists in blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.

The proof-of-concept code for this vulnerability has been published on GitHub.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Server Message Block, zero-day, hacking)