|
|
|
|
| |
Credit:
The information has been provided by Microsoft Security Bulletin MS07-063.
The original article can be found at:
http://www.microsoft.com/technet/security/bulletin/ms07-063.mspx
|
| |
Mitigating Factors for SMBv2 Signing Vulnerability:
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
* SMB signing is off by default in Windows Vista, which means that a computer running Microsoft Vista won t use it unless it connects to another host which requires it.
* When a previous operating system version is part of the communications, SMBv2 will not be used. For example, Windows Vista would use SMB to communicate with Windows XP, rather than SMBv2.
* Customers using SMBv1 are not affected by this vulnerability.
Workarounds for SMBv2 Signing Vulnerability:
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
* Disable SMBv2
To disable SMBv2, follow these steps:
Note: The following procedure is necessary only if the user wants to use SMB signing. If the user does not want to use SMB signing (the default condition except on a Windows Server 2008 domain), they do not need to do anything.
1. Create a .reg file with the following contents:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation]
"DependOnService"=hex(7):42,00,6f,00,77,00,73,00,65,00,72,00,00,00,4d,00,52,
00,78,00,53,00,6d,00,62,00,31,00,30,00,00,00,4e,00,53,00,49,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"Smb2"=dword:00000000
2. Run the .reg file by clicking it.
3. Open a command prompt as Administrator.
4. Run the following command:
sc config mrxsmb20 start= disabled
5. Restart the computer.
Impact of workaround. Any performance improvements made to SMBv2 are not available if SMBv2 is disabled.
* How to undo the workaround.
To enable SMBv2, follow these steps:
1. Create a .reg file with the following contents:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation]
"DependOnService"=hex(7):42,00,6f,00,77,00,73,00,65,00,72,00,00,00,4d,00,52,
00,78,00,53,00,6d,00,62,00,31,00,30,00,00,00,4d,00,52,00,78,00,53,00,6d,00,62,
00,32,00,30,00,00,00,4e,00,53,00,49,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"Smb2"=dword:00000001
2. Run the .reg file by double-clicking it.
3. Open a command prompt as Administrator.
4. Run the following command:
sc config mrxsmb20 start= demand
5. Restart the computer.
FAQ for SMBv2 Signing Vulnerability:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
What causes the vulnerability?
SMBv2 signing is not correctly implemented in a way that could allow an attacker to modify an SMBv2 packet and re-compute the signature.
What is SMBv2?
Server Message Block (SMB) is the file sharing protocol used by default on Windows based computers. SMB Version 2.0 (SMBv2) is an update to this protocol and is only supported on computers running Windows Server 2008 and Windows Vista. SMBv2 can only be used if both client and server support it. The SMB protocol version to be used for file operations is decided during the negotiation phase. During the negotiation phase, a Windows Vista client advertises to the server that it can understand the new SMBv2 protocol. If the server (Windows Server 2008 or otherwise) understands SMBv2, then SMBv2 is chosen for subsequent communication. Otherwise the client and server use SMB 1.0.
What is SMBv2 Signing?
SMBv2 signing is a feature through which all communications using the Server Message Block (SMB) protocol can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. An attacker could then tamper with data transferred via SMBv2, which could allow remote code execution in domain configurations communicating with SMBv2. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
How could an attacker exploit the vulnerability?
An attacker could modify SMBv2 packets and impersonate a trusted source to perform malicious operations.
What systems are primarily at risk from the vulnerability?
Windows Vista systems that communicate using SMBv2 signing are primarily at risk.
What does the update do?
The update removes the vulnerability by correctly implementing signing for SMBv2 packets.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
CVE Information:
CVE-2007-5351
|
|
|
|
|
