SMB File Sharing Protocol Flaw Made Public Before Release of Patch

Details of a SMB file sharing protocol flaw in Windows have been made public some 12 days prior to the release of a patch by Microsoft. Laurent Gaffié, the researcher who published details of the flaw, has claimed that Microsoft had been aware of the issue for around 3 months beforehand yet failed to act to patch the vulnerability.

An attacker who exploits the SMB file sharing protocol flaw would be able to crash Windows 10 and 8.1 computers, however to date there have been no reports which indicate that the flaw could be taken advantage of so as to enable remote code execution.

The weakness is in the form of a memory corruption vulnerability in the manner that the two most recent Windows versions deal with Server Message Block, or SMB, traffic. Should an attacker send a purpose crafted message from his or her server, it could theoretically trigger a buffer overflow condition. This would then cause the system to crash and reboot.

Laurent Gaffié’s revelation is not the first occasion that a SMB file sharing protocol flaw has been discovered, indeed a number of issues with the protocol have emerged in recent years.

The discovery of the flaw has encouraged US-CERT and several other organizations to publish security alerts following the release of a proof-of-concept exploit on the GitHub website. The weakness has the potential to be exploited on enterprise computers, however small businesses and private users appear to be most at risk.

This particular vulnerability can be exploited rather simply. The only thing required is to fool users into visiting a malicious server. Attackers achieve this via a link in an email or webpage, or alternatively a website redirect.

It is difficult to prevent the exploitation of the flaw, however the risk can be minimized by blocking outbound SMB connections on TCP ports 139 & 145, UDP ports 137 & 138. The majority of businesses will already be blocking outbound connections via these ports, but smaller businesses and private personal users may not yet have taken action.

A policy change at Microsoft means that is now issues patches for its products only on the 2nd Tuesday of every month. Should information emerge that would indicate that the flaw is being actively exploited in the wild, Microsoft might decide to issue a patch as soon as possible. That scenario, however, seems unlikely.

The present indication is that Microsoft will patch the SMB file sharing protocol flaw on Tuesday the 14th of February 2017.

Author: Defensorum

Share This Post On