HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2008-177
Microsoft Windows SMB Credential Reflection Vulnerability

Original Issue Date:November 12, 2008

Severity Rating: Medium

Systems Affected

  • Microsoft Windows 2000 SP4 and prior
  • Microsoft Windows XP SP3 and prior
  • Microsoft Windows XP Professional x64 Edition SP2 and prior
  • Microsoft Windows Server 2003 SP2 and prior
  • Microsoft Windows Server 2003 x64 Edition SP2 and prior
  • Microsoft Windows Server 2003 with SP2 and prior for Itanium-based Systems
  • Microsoft Windows Vista SP1 and prior
  • Microsoft Windows Vista x64 Edition SP1 and prior
  • Microsoft Windows Server 2008 for 32-bit Systems
  • Microsoft Windows Server 2008 for x64-based Systems
  • Microsoft Windows Server 2008 for Itanium-based Systems

Overview

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.

Description

 Server message Block (SMB) is an application level Protocol used for file sharing, network printing, and remote procedure calls over a network.

NT LAN Manager (NTLM) is an authentication protocol based on a challenge/response mechanism used to determine the authenticity of the supplied credentials used with SMB

This vulnerability exists due to improper handling of NTLM authentication credentials during SMB connection requests.  When a user connects to a resource shared via SMB, the affected system may transmit credentials in such a way that could expose those credentials for reuse.

An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to visit a SMB resource on a remote system, thus executes an arbitrary code in user's context.  The attacker could then use provided credentials in an unspecified way to connect back to a user's system with the privileges of that user, possibly granting the attacker unauthorized access.

      NOTE: Proof-of-concept code to exploit is publicly available on                 internet.

Workarounds

  • Block TCP ports 139 and 445 at the firewall
  • Enable SMB signing

For detailed steps and impact of applying these workarounds refer to Microsoft security Bulletin MS08-068

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-68

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspx

References
FrSIRT
http://www.frsirt.com/english/advisories/2008/3110

 SecurityFocus
http://www.securityfocus.com/bid/7385/

SecurityTracker
http://www.securitytracker.com/alerts/2008/Nov/1021163.html

Secunia
http://secunia.com/advisories/32633/

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=16986

CVE Name
CVE-2008-4037

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003