• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Zero Day SMB Vulnerability Affects Windows Server 2003 and XP

February 16, 2011 By Corey Nachreiner

Yesterday, a gray hat going by the alias Cupidon-3005 posted details about a zero day Windows SMB vulnerability that could potentially allow attackers to gain control of fully patched Windows Server 2003 and XP computers. Microsoft is currently investigating this surprise release, but hasn’t had time to post an early Security Advisory about the issue yet, let alone deliver a patch.

Specifically, the vulnerability involves a buffer overflow flaw within the SMB component’s mrxsmb.sys file. By sending a specially crafted browser election request packet containing an overly long server name, an attacker could exploit this flaw to either crash your computer, or execute code on it, potentially gaining complete control of your PC.

Since Microsoft just learned of this flaw on the 15th, they haven’t had time to release a patch yet. However, your WatchGuard firewall can help. By default, our appliances block SMB and broadcast traffic (the exploit leverages broadcast requests), which prevents Internet-based attackers from leveraging this flaw against you (assuming you haven’t opened SMB ports, which you should never do). That said, worms quite regularly rely on SMB vulnerabilities to help them automatically spread within networks, once they infect the first victim. So in general, I consider SMB vulnerabilities high risk. I’ll continue to monitor Microsoft’s investigation into this flaw, and will post updates when they release any workaround or patch.

[UPDATE]: In a blog post, Microsoft claims that though theoretically possible, they believe it’s impractical for attackers to leverage this flaw to execute code. As such, they believe it primarily represents a DoS risk. Other security researchers have been quick to point out that attackers have figured out way to leverage impractical vulnerabilities in the past, though. Microsoft has still not released a patch, and based on their severity analysis of this flaw, they likely will not release any rushed out-of-cycle patch either.

– Corey Nachreiner, CISSP

Cupidon-3005

Share This:

Related

Filed Under: Security Bytes Tagged With: buffer overflow, exploit, Microsoft, smb, worm, Zero day exploit

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity’s Toll on Mental Health
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Cybersecurity’s Toll on Mental Health
  • Successfully Prosecuting a Russian Hacker
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use