Title

Microsoft SMB Client Remote Code Execution Vulnerability (Cat II impact)

Discussion

Microsoft has released a security bulletin addressing a vulnerability affecting the Server Message Block (SMB) implementation in various versions of Microsoft Windows. SMB is an application layer protocol used to provide shared access to network resources. To exploit this vulnerability, an attacker would sent a malicious SMB response to a client-initiated SMB request. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code and compromise the affected system. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. SMB Response Parsing Vulnerability - (CVE-2011-1268): An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block (SMB) client implementation handles specially crafted SMB responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS11-043 (2536276). Vulnerable Applications/Systems: Windows XP SP3 Windows XP Professional x64 Edition SP2 Windows Server 2003 SP2 (x86, x64, and Itanium) Windows Vista SP1 and SP2 (x86 and x64) Windows Server 2008 and Windows Server 2008 SP2 (x86*, x64*, and Itanium) Windows 7 and Windows 7 SP1 (x86 and x64) Windows Server 2008 R2 and Windows Server 2008 R2 SP1 (x64* and Itanium) *Server Core installation affected. Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems/Applications not listed below. Mrxsmb.sys Windows XP SP3 – 5.1.2600.6108 Windows XP SP2 x64 – 5.2.3790.4861 Windows 2003 SP2 – 5.2.3790.4861 Windows Vista SP1 / 2008 – 6.0.6001.18644 or 22910 Windows Vista SP2 / 2008 SP2 – 6.0.6002.18462 or 22634 Windows 7 / 2008 R2 – 6.1.7600.16808 or 20959 Windows 7 / 2008 R2 SP1 – 6.1.7601.17605 or 21714

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-28592

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.