TechNet Home > TechNet Security > Security Advisories

Microsoft Security Advisory (977544)

Vulnerability in SMB Could Allow Denial of Service

Published: November 13, 2009

Version: 1.0

General Information

Executive Summary

Microsoft is investigating new public reports of a possible denial of service vulnerability in the Server Message Block (SMB) protocol. This vulnerability cannot be used to take control of or install malicious software on a user’s system. However, Microsoft is aware that detailed exploit code has been published for the vulnerability. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.

Top of sectionTop of section

Advisory Details

Issue References

For more information about this issue, see the following references:

ReferencesIdentification

CVE Reference

CVE-2009-3676

Top of sectionTop of section

Affected and Non-Affected Software

This advisory discusses the following software.

Affected Software

Windows 7 for 32-bit Systems

Windows 7 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems*

Windows Server 2008 R2 for Itanium-based Systems

Non-Affected Software

Microsoft Windows 2000 Service Pack 4

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2

Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

*Server Core installation affected. This advisory applies to supported editions of Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the MSDN article, Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 R2; see Compare Server Core Installation Options.

Top of sectionTop of section

Frequently Asked Questions

What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the Microsoft Server Message Block (SMB) protocol. This affects the operating systems listed in the Affected Software section.

Is this a security vulnerability that requires Microsoft to issue a security update? 
Microsoft is currently working to develop a security update for Windows to address this vulnerability. Microsoft will release the security update once it has reached an appropriate level of quality for broad distribution.

Is this advisory related to MS09-050, released on October 13, 2009? 
No. Microsoft Security Bulletin MS09-050, "Vulnerability in SMBv2 Could Allow Remote Code Execution," addresses a remote code execution vulnerability in the SMBv2 server service. This advisory details a denial of service in the SMB client. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop responding until manually restarted.

What versions of SMB does this advisory address?
The issue discussed in this advisory affects both SMBv1 and SMBv2.

What is Microsoft Server Message Block (SMB) protocol? 
Microsoft Server Message Block (SMB) protocol is a Microsoft network file sharing protocol used in Microsoft Windows. For more information on SMB, see Microsoft SMB Protocol and CIFS Protocol Overview.

What is Server Message Block Version 2 (SMBv2)? 
Server Message Block (SMB) is the file sharing protocol used by default on Windows-based computers. SMB Version 2.0 (SMBv2) is an update to this protocol, and is only supported on computers running Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. SMBv2 can only be used if both client and server support it. If either client or server cannot support SMBv2, the SMB 1.0 protocol will be used instead. The SMB protocol version to be used for file operations is decided during the negotiation phase. During the negotiation phase, a Windows client advertises to the server that it can understand the new SMBv2 protocol. If the server understands SMBv2, then SMBv2 is chosen for subsequent communication. Otherwise the client and server use SMB 1.0 and continue to function as normal. For more information on SMBv2, see the MSDN article, Server Message Block (SMB) Version 2 Protocol Specification.

What is the difference between SMBv1 and SMBv2?
Both protocols are used by clients to request file and print services from a server system over the network. Both are stateful protocols in which clients establish a connection to a server, establish an authenticated context on that connection, and then issue a variety of requests to access files, printers, and named pipes for interprocess communication. The SMBv2 protocol is a major revision of the existing SMB protocol. While many of the underlying concepts are the same, the packet formats are completely different. In addition to providing all of the capabilities found in SMBv1, the SMBv2 protocol provides several enhancements:

Allowing an open to a file to be reestablished after a client connection becomes temporarily disconnected.

Allowing the server to balance the number of simultaneous operations that a client can have outstanding at any time.

Providing scalability in terms of the number of shares, users, and simultaneously open files.

Supporting symbolic links.

Using a stronger algorithm to validate the integrity of requests and responses.

What causes this threat? 
The vulnerability is caused by the Microsoft Server Message Block (SMB) protocol software insufficiently validating all fields when parsing specially crafted SMB packets.

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could cause a user's system to stop responding until manually restarted.

Can this vulnerability be exploited using Internet Explorer?
No. However, this issue may be exploited through Web transactions, regardless of browser type. In a Web-based attack scenario, an attacker would have to host a Web page that contains a specially crafted URI. A user that browsed to that Web site will force an SMB connection to an SMB server controlled by the attacker, which would then send a malicious response back to the user. This response would cause the user's system to stop responding until manually restarted. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes them to the attacker's site.

Top of sectionTop of section

Mitigating Factors

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of this issue. The following mitigating factors may be helpful in your situation:

Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the SMB ports should be blocked from the Internet.

Top of sectionTop of section

Workarounds

Workaround refers to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

Block TCP ports 139 and 445 at the firewall

These ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft recommends that you block all SMB communications to and from the Internet to help prevent attacks. For more information about ports, see TCP and UDP Port Assignments.

Impact of Workaround: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below:

Applications that use SMB (CIFS)

Applications that use mailslots or named pipes (RPC over SMB)

Server (File and Print Sharing)

Group Policy

Net Logon

Distributed File System (DFS)

Terminal Server Licensing

Print Spooler

Computer Browser

Remote Procedure Call Locator

Fax Service

Indexing Service

Performance Logs and Alerts

Systems Management Server

License Logging Service

How to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. For more information about ports, see TCP and UDP Port Assignments.

Top of sectionTop of section

Additional Suggested Actions

Protect your PC

We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.

For more information about staying safe on the Internet, visit Microsoft Security Central.

Keep Windows Updated

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Top of sectionTop of section

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Top of sectionTop of section

Feedback

You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.

Top of sectionTop of section

Support

Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.

International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.

Microsoft TechNet Security provides additional information about security in Microsoft products.

Top of sectionTop of section

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Top of sectionTop of section

Revisions

V1.0 (November 13, 2009): Advisory published.

Top of sectionTop of section

Top of pageTop of page