CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2011-020

DATE(S) ISSUED:
04/12/2011

SUBJECT:
Vulnerabilities in SMB Server Could Allow Remote Code Execution (MS11-020)

OVERVIEW:

A vulnerability has been discovered in Microsoft Server Message Block (SMB) Server that could allow for remote code execution. SMB is used to provide shared access to files, printers, serial ports, and other miscellaneous communications between network devices. Successful exploitation of this vulnerability could result in an attacker gaining complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

SYSTEMS AFFECTED:

  • Windows XP
  • Windows Server 2003
  • Windows Vista
  • Windows Server 2008
  • Windows 7

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

 

DESCRIPTION:

A remote code execution vulnerability exists due to the way that Microsoft Server Message Block (SMB) Protocol handles specially crafted SMB packets. Authentication is not required for this vulnerability to be exploited. This vulnerability can be exploited by an attacker sending a specially crafted SMB packet to a system running the Server Service, which is enabled by default on all systems.


Successful exploitation of this vulnerability could result in an attacker gaining complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Implement egress and ingress filtering for TCP ports 139 and 445 at your network perimeter.

REFERENCES:

Microsoft:

http://www.microsoft.com/technet/security/Bulletin/MS11-020.mspx

http://support.microsoft.com/kb/2508429

http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-019-and-ms11-020-april-smb-updates.aspx

 

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0661

 

Securityfocus:

http://www.securityfocus.com/bid/47198

 

Secunia:

http://secunia.com/advisories/44072/