Windows SMB Zero Day Exploit Threat Advisory

US-CERT released a warning on Thursday 2/2/2017 about a Microsoft Windows vulnerability caused by a memory corruption bug in the handling of SMB traffic. This vulnerability may allow a remote, unauthenticated attacker to cause a denial of service (crash or reboot) in a vulnerable system.

What happened?

The zero day has been confirmed to affect Windows clients that support SMBv3. This includes the following fully patched systems:

Windows 10
Windows 8.1
Windows Server 2016
Windows Server 2012R2

http://www.kb.cert.org/vuls/id/867968

What is the issue?

The proof of concept code for exploiting the code has been released on the Internet and is publicly available. There are a number of ways an attacker could get a Windows device to connect to a malicious SMB share such as clicking on a URL link. A Windows device that connects to the malicious SMB share would either reboot or crash (Blue Screen of Death) causing a denial of service.

There is currently no patch available for this threat advisory, hopefully one will be released on patch Tuesday.

Should we be concerned?

Yes, given that the vulnerability is fairly simple to exploit and the proof of concept is publically available companies should make sure they have taken steps to mitigate a potential denial of service to Windows systems.

What types of systems are vulnerable?

Please refer to US-CERT Vulnerability Note VU#867968 for specific details.

For more Information on this zero day:

Reference US-CERT has guidance:
02/02/2017 (updated) CVE-2017-0016 Severity = MEDIUM
http://www.kb.cert.org/vuls/id/867968

Additional References

Recommended Actions

Block outbound SMB connections to the WAN (TCP ports 139 & 445 along with UDP ports 137 & 138).
Patch vulnerable Windows devices as soon as a patch is available.

Download Threat Advisory (.pdf)

No one is immune to cyber-attacks

Be confident that threats to your network will be detected consistently and accurately with Tyler Detect. Our team of cybersecurity experts actively investigates to find threats and are always ready to offer you support and answer your questions.

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More

Sage Advice - Cybersecurity Blog