Title

Microsoft Distributed File System Remote Code Execution Vulnerabilities (Cat I impact)

Discussion

Microsoft has released a Security Bulletin addressing multiple vulnerabilities in the Distributed File System. The Distributed File System allows access to files from multiple hosts sharing via a computer network. To exploit this vulnerability, an attacker would host a malicious server designed and convince a user to initiate a DFS connection. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code, perform a man-in-the-middle attack or cause a denial of service condition. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. DFS Memory Corruption Vulnerability - CVE-2011-1868: An unauthenticated remote code execution vulnerability exists in the way that the Distributed File System (DFS) client parses specially crafted DFS responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted DFS response to a client-initiated DFS request. DFS Referral Response Vulnerability - CVE-2011-1869: A denial of service vulnerability exists in the way that Microsoft Distributed File System (DFS) handles specially crafted DFS referral responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted network message to a computer running the Server service.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS11-042 (2535512). Vulnerable Applications/Systems: Windows XP SP3 Windows XP Professional x64 Edition SP2 Windows Server 2003 SP2 (x86, x64, and Itanium) Windows Vista SP1 and SP2 (x86 and x64) Windows Server 2008 and Windows Server 2008 SP2 (x86*, x64*, and Itanium) Windows 7 (x86 and x64) Windows Server 2008 R2 (x64* and Itanium) *Server Core installation affected. Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems/Applications not listed below. Mup.sys Windows XP SP3 – 5.1.2600.6103 Windows XP SP2 x64 – 5.2.3790.4851 Windows 2003 SP2 – 5.2.3790.4851 Dfsc.sys Windows Vista SP1 / 2008 – 6.0.6001.18633 or 22899 Windows Vista SP2 / 2008 SP2 – 6.0.6002.18451 or 22625 Windows 7 / 2008 R2 – 6.1.7600.16804 or 20953

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-28593

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.