Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Microsoft Windows Vista SMBv2 packets signature bypass

From:MICROSOFT <secure_(at)_microsoft.com>
Date:12.12.2007
Subject:Microsoft Security Bulletin MS07-063 – Important Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)

Microsoft Security Bulletin MS07-063 – Important
Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)
Published: December 11, 2007

Version: 1.0
General Information
Executive Summary

This important security update resolves a privately reported vulnerability in Server Message Block Version 2 (SMBv2). The vulnerability could allow an attacker to tamper with data transferred via SMBv2, which could allow remote code execution in domain configurations communicating with SMBv2.

This is an Important security update for all supported versions of Windows Vista. For more information, see the subsection, Affected and Non-Affected Software, in this section.

This security update addresses the vulnerability by implementing proper signing using SMBv2. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

Known Issues. None
Top of sectionTop of section
Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software
Operating System Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update

Windows Vista


Remote Code Execution


Important


None

Windows Vista x64


Remote Code Execution


Important


None

Non-Affected Software
Operating System

Microsoft Windows 2000 Service Pack 4

Windows XP Service Pack 2

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Top of sectionTop of section

Frequently Asked Questions (FAQ) Related to This Security Update

I am using an older version of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which versions or editions are affected. Other versions or editions are past their support life cycle. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

It should be a priority for customers who have older versions or editions of the software to migrate to supported versions or editions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.
Top of sectionTop of section
Vulnerability Information

Severity Ratings and Vulnerability Identifiers
Affected Software SMBv2 Signing Vulnerability - CVE-2007-5351 Aggregate Severity Rating

Windows Vista


Important

Remote Code Execution


Important

Windows Vista x64 Edition


Important

Remote Code Execution


Important
Top of sectionTop of section

SMBv2 Signing Vulnerability - CVE-2007-5351

A remote code execution vulnerability exists in the SMBv2 protocol that could allow a remote anonymous attacker to run code with the privileges of the logged-on user.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-5351.

Mitigating Factors for SMBv2 Signing Vulnerability - CVE-2007-5351

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:


SMB signing is off by default in Windows Vista, which means that a computer running Microsoft Vista won’t use it unless it connects to another host which requires it.


When a previous operating system version is part of the communications, SMBv2 will not be used. For example, Windows Vista would use SMB to communicate with Windows XP, rather than SMBv2.


Customers using SMBv1 are not affected by this vulnerability.
Top of sectionTop of section

Workarounds for SMBv2 Signing Vulnerability - CVE-2007-5351

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:


Disable SMBv2

To disable SMBv2, follow these steps:

Note: The following procedure is necessary only if the user wants to use SMB signing. If the user does not want to use SMB signing (the default condition except on a Windows Server 2008 domain), they do not need to do anything.

1.


Create a .reg file with the following contents:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorks
tation]
"DependOnService"=hex(7):42,00,6f,00,77,00,73,00,65,00,72,00,
00,00,4d,00,52,
00,78,00,53,00,6d,00,62,00,31,00,30,00,00,00,4e,00,53,00,49,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServe
r\Parameters]
"Smb2"=dword:00000000

2.


Run the .reg file by clicking it.

3.


Open a command prompt as Administrator.

4.


Run the following command:

sc config mrxsmb20 start= disabled

5.


Restart the computer.


Impact of workaround. Any performance improvements made to SMBv2 are not available if SMBv2 is disabled.

How to undo the workaround.

To enable SMBv2, follow these steps:

1.


Create a .reg file with the following contents:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorks
tation]
"DependOnService"=hex(7):42,00,6f,00,77,00,73,00,65,00,72,00,
00,00,4d,00,52,
00,78,00,53,00,6d,00,62,00,31,00,30,00,00,00,4d,00,52,00,78,00,53,00,6d,00,62,
00,32,00,30,00,00,00,4e,00,53,00,49,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServe
r\Parameters]
"Smb2"=dword:00000001

2.


Run the .reg file by double-clicking it.

3.


Open a command prompt as Administrator.

4.


Run the following command:

sc config mrxsmb20 start= demand

5.


Restart the computer.
Top of sectionTop of section

FAQ for SMBv2 Signing Vulnerability - CVE-2007-5351

What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability?
SMBv2 signing is not correctly implemented in a way that could allow an attacker to modify an SMBv2 packet and re-compute the signature.

What is SMBv2
Server Message Block (SMB) is the file sharing protocol used by default on Windows based computers. SMB Version 2.0 (SMBv2) is an update to this protocol and is only supported on computers running Windows Server 2008 and Windows Vista. SMBv2 can only be used if both client and server support it. The SMB protocol version to be used for file operations is decided during the negotiation phase. During the negotiation phase, a Windows Vista client advertises to the server that it can understand the new SMBv2 protocol. If the server (Windows Server 2008 or otherwise) understands SMBv2, then SMBv2 is chosen for subsequent communication. Otherwise the client and server use SMB 1.0.

What is SMBv2 Signing
SMBv2 signing is a feature through which all communications using the Server Message Block (SMB) protocol can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. An attacker could then tamper with data transferred via SMBv2, which could allow remote code execution in domain configurations communicating with SMBv2. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
An attacker could modify SMBv2 packets and impersonate a trusted source to perform malicious operations.

What systems are primarily at risk from the vulnerability?
Windows Vista systems that communicate using SMBv2 signing are primarily at risk.

What does the update do?
The update removes the vulnerability by correctly implementing signing for SMBv2 packets.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Other Information
Support


Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.


International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions


V1.0 (December 11, 2007): Bulletin published.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod