CERT-In Vulnerability Note CIVN-2009-06
Microsoft Windows SMB Packet Handling Vulnerabilities

Original Issue Date:January 14, 2009

Severity Rating: High

Systems Affected

• Microsoft Windows 2000 Service Pack 4
• Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista and Windows Vista Service Pack 1
• Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
• Windows Server 2008 for 32-bit Systems (including server core installation)
• Windows Server 2008 for x64-based Systems (including server core installation)
• Windows Server 2008 for Itanium-based Systems

Overview

Multiple vulnerabilities have been reported in Microsoft Server Message Block (SMB) Protocol, successful exploitation of which could allow an attacker to execute arbitrary code on affected systems with full administrative rights or leads to denial of service condition.

Description

Microsoft Server Message Block (SMB) Protocol is a Microsoft network file sharing protocol used in Microsoft Windows.

1.  Microsoft Windows SMB Packet Processing Buffer Overflow      Vulnerability (CVE-2008-4834)

This vulnerability exists due to improper boundary checking on parameters within SMB messages received prior to authentication routines. The processing of overly large values could trigger a buffer overflow, resulting in the corruption of memory.

Note: Microsoft Windows Vista and Windows Server 2008 systems are not vulnerable for this vulnerability.

2.  Microsoft Windows SMB Validation Code Execution      Vulnerability (CVE-2008-4835)

This vulnerability is due to insufficient validation of SMB network messages.  The processing of a malformed SMB packet could corrupt system memory, possibly causing exploitable memory corruption or a system failure if the Server service stops unexpectedly that would result in a denial of service condition. 

Successful exploitation of the above vulnerabilities may allow execution of arbitrary code, but requires that the Server service is enabled. Most attempts to exploit this vulnerability would result in a system denial of service condition.

3.  Microsoft Windows WRITE_ANDX SMB Packet Handling      Denial of Service Vulnerability
     (CVE-2008-4114 , CIVN-2008-171)

A denial of service vulnerability exists due to an input validation error when handling WRITE_ANDX SMB packets in the SMB protocol kernel driver srv.sys , the Server service driver, which supports file, print, and named-pipe sharing over a network.

This can be exploited to cause an invalid memory access and crash the system via a specially crafted SMB packet with an offset that is inconsistent with the packet size.

Successful exploitation of this vulnerability could cause a user's system to stop responding and restart.

Workarounds

• Restrict network access to SMB services
• Block TCP ports 139 and 445 at the firewall

For detailed steps and impact of applying these workarounds refer to Microsoft security Bulletin MS09-001

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-001

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/MS09-001.mspx
http://blogs.technet.com/swi/default.aspx

References

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=16665
http://tools.cisco.com/security/center/viewAlert.x?alertId=17359
http://tools.cisco.com/security/center/viewAlert.x?alertId=17352

Secunia
http://secunia.com/advisories/31883/

SecurityTracker
http://www.securitytracker.com/alerts/2009/Jan/1021560.html

SecurityFocus
http://www.securityfocus.com/bid/31179
http://www.securityfocus.com/bid/33122
http://www.securityfocus.com/bid/33121

CERT-In
http://www.cert-in.org.in/vulnerability/civn-2008-171.htm

CVE Name
CVE-2008-4834
CVE-2008-4835
CVE-2008-4114


Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003