CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Vulnerabilities in SMB Server Could Allow Remote Code Execution (MS11-020)
A vulnerability has been discovered in Microsoft Server Message Block (SMB) Server that could allow for remote code execution. SMB is used to provide shared access to files, printers, serial ports, and other miscellaneous communications between network devices. Successful exploitation of this vulnerability could result in an attacker gaining complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows Server 2008
- Windows 7
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
A remote code execution vulnerability exists due to the way that Microsoft Server Message Block (SMB) Protocol handles specially crafted SMB packets. Authentication is not required for this vulnerability to be exploited. This vulnerability can be exploited by an attacker sending a specially crafted SMB packet to a system running the Server Service, which is enabled by default on all systems.
Successful exploitation of this vulnerability could result in an attacker gaining complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
We recommend the following actions be taken:
- Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
- Implement egress and ingress filtering for TCP ports 139 and 445 at your network perimeter.