US-CERT released a warning on Thursday 2/2/2017 about a Microsoft Windows vulnerability caused by a memory corruption bug in the handling of SMB traffic. This vulnerability may allow a remote, unauthenticated attacker to cause a denial of service (crash or reboot) in a vulnerable system.
What happened?
The zero day has been confirmed to affect Windows clients that support SMBv3. This includes the following fully patched systems:
- Windows 10
- Windows 8.1
- Windows Server 2016
- Windows Server 2012R2
http://www.kb.cert.org/vuls/id/867968
What is the issue?
The proof of concept code for exploiting the code has been released on the Internet and is publicly available. There are a number of ways an attacker could get a Windows device to connect to a malicious SMB share such as clicking on a URL link. A Windows device that connects to the malicious SMB share would either reboot or crash (Blue Screen of Death) causing a denial of service.
There is currently no patch available for this threat advisory, hopefully one will be released on patch Tuesday.
Should we be concerned?
Yes, given that the vulnerability is fairly simple to exploit and the proof of concept is publically available companies should make sure they have taken steps to mitigate a potential denial of service to Windows systems.
What types of systems are vulnerable?
Please refer to US-CERT Vulnerability Note VU#867968 for specific details.
For more Information on this zero day:
- Reference US-CERT has guidance:
02/02/2017 (updated) CVE-2017-0016 Severity = MEDIUM
http://www.kb.cert.org/vuls/id/867968
Additional References
- http://github.com/lgandx/PoC/tree/master/SMBv3%20Tree%20Connect
- http://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices
- http://msdn.microsoft.com/en-us/library/cc246499.aspx
Recommended Actions
- Block outbound SMB connections to the WAN (TCP ports 139 & 445 along with UDP ports 137 & 138).
- Patch vulnerable Windows devices as soon as a patch is available.
Download Threat Advisory (.pdf)
No one is immune to cyber-attacks
Be confident that threats to your network will be detected consistently and accurately with Tyler Detect. Our team of cybersecurity experts actively investigates to find threats and are always ready to offer you support and answer your questions.