CERT-In Vulnerability Note CIVN-2008-171
Microsoft Windows WRITE_ANDX SMB packet Denial of service Vulnerability
Original Issue Date:October 24, 2008
Updated on:January 14, 2009
Severity Rating:
High
Systems Affected
- Microsoft Windows 2000
- Microsoft Windows XP
- Microsoft Windows 2003
- Microsoft Windows Vista
- Microsoft Windows Vista SP1
- Microsoft Windows 2008
Overview
A remote Denial of Service vulnerability is reported in Microsoft Windows due to the way “srv.sys” handles malformed “WRITE_ANDX” SMB packets.
Description
Server message Block (SMB) is an application level Protocol used for file sharing, network printing, and remote procedure calls over a network.
A Windows native SMB variant, Common Internet File System (CIFS) - , is an open cross platform mechanism for clients to access file services from servers over network. The WRITE_ANDX packet defines the data portion of the CIFS client request and server response packets.
The vulnerability is caused due to an input validation error in the processing of "WRITE_ANDX" packets within “srv.sys”, the Server service driver, which supports file, print, and named-pipe sharing over a network. This can be exploited to cause an invalid memory access and crash the system via a specially crafted SMB packet with an offset that is inconsistent with the packet size , resulting in a DoS condition.
NOTE: Proof-of-concept code to exploit is publicly available on internet.
Workarounds
- Restrict network access to SMB services
- Block TCP ports 139 and 445 at the firewall
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-001
References
Microsoft
http://msdn.microsoft.com/en-us/library/aa302240.aspx
http://msdn.microsoft.com/en-us/library/aa302278.aspx
IBM ISS X-Force
http://xforce.iss.net/xforce/xfdb/45146
SecurityFocus
http://www.securityfocus.com/bid/31179
Juniper Network
http://www.juniper.net/security/auto/vulnerabilities/vuln31179.html
FrSIRT
http://www.frsirt.com/english/advisories/2008/2583
CVE Name
CVE-2008-4114
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
