A critical vulnerability has been identified in Microsoft Server Message Block (SMB) v2 implementation. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.
MyCERT is aware that a '0-day' exploit is being available in the wild and actively being used by the attacker.
By exploiting this vulnerability, an attacker could execute arbitrary code on vulnerable installations of Microsoft Server Message Block (SMB) v2 and gain the same privilege as the user.
3.0 Affected Products
Microsoft Windows operating systems listed below are vulnerable to this vulnerability:
- Windows Vista Service Pack 0, Service Pack 1 and Service Pack 2
- Windows Vista x64 Edition Service Pack 0, Service Pack 1 and Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 0 and Service Pack 2
- Windows Server 2008 for x64-based Systems, Service Pack 0 and Service Pack 2
- Windows Server 2008 for Itanium-based, Service Pack 0 and Service Pack 2
At the time of this writing, Microsoft has not released any patches to address this vulnerability. However, users are recommended to disable SMB on affected systems as the workaround.
To implement the workaround that disables the Microsoft Server Message Block (SMB) v2 automatically, download MicrosoftFixit from this link http://go.microsoft.com/?linkid=9683379 and follow the steps in the wizard.
If you are unable to download it or prefer to the manual way, below are the steps to disable the Microsoft Server Message Block (SMB) v2:
- Open Registry Editor
- Locate and then click on the following registry subkey
- Click LanmanServer
- Click Parameters
- Double-click smb2, and change the Value data field to 0
- Restart the "Server" service by performing one of the following:
- Open up the computer management MMC, navigate to Services and Applications, click Services, right-click the Server service name and click Restart. Answer Yes in the pop-up menu
- From a command prompt and with administrator privileges, type net stop server and then net start server
Users are also advised to block TCP ports 139 and 445 at the firewall
MyCERT advises the users of this software to be updated with the latest security announcements by the vendor. MyCERT can be reached through the following channels:
E-mail : [email protected]
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web : https://www.mycert.org.my