Yesterday, a gray hat going by the alias Cupidon-3005 posted details about a zero day Windows SMB vulnerability that could potentially allow attackers to gain control of fully patched Windows Server 2003 and XP computers. Microsoft is currently investigating this surprise release, but hasn’t had time to post an early Security Advisory about the issue yet, let alone deliver a patch.
Specifically, the vulnerability involves a buffer overflow flaw within the SMB component’s mrxsmb.sys file. By sending a specially crafted browser election request packet containing an overly long server name, an attacker could exploit this flaw to either crash your computer, or execute code on it, potentially gaining complete control of your PC.
Since Microsoft just learned of this flaw on the 15th, they haven’t had time to release a patch yet. However, your WatchGuard firewall can help. By default, our appliances block SMB and broadcast traffic (the exploit leverages broadcast requests), which prevents Internet-based attackers from leveraging this flaw against you (assuming you haven’t opened SMB ports, which you should never do). That said, worms quite regularly rely on SMB vulnerabilities to help them automatically spread within networks, once they infect the first victim. So in general, I consider SMB vulnerabilities high risk. I’ll continue to monitor Microsoft’s investigation into this flaw, and will post updates when they release any workaround or patch.
[UPDATE]: In a blog post, Microsoft claims that though theoretically possible, they believe it’s impractical for attackers to leverage this flaw to execute code. As such, they believe it primarily represents a DoS risk. Other security researchers have been quick to point out that attackers have figured out way to leverage impractical vulnerabilities in the past, though. Microsoft has still not released a patch, and based on their severity analysis of this flaw, they likely will not release any rushed out-of-cycle patch either.
Cupidon-3005