Today we released two bulletins to address vulnerabilities in SMB. MS10-006 addresses two vulnerabilities in the SMBv1 client implementation, and MS10-012 addresses four vulnerabilities in the SMB server implementation. In this blog entry, we want to help you understand the vulnerabilities and better prioritize the updates.

What are the SMB server vulnerabilities and how could they be exploited?

The first issue is an authenticated remote code execution (RCE) vulnerability (CVE-2010-0020) in the server SMBv1 implementation on all versions of Windows. A long filename can lead to kernel pool memory corruption in an error path. This issue has a severity rating of important as an attacker needs to be authenticated to perform the attack.

The second and third issues (CVE-2010-0021 and CVE-2010-0022) are remote unauthenticated denial-of-service (DoS) vulnerabilities in the SMBv1 and SMBv2 server implementations and have Important severity ratings. CVE-2010-0021 is caused by a race condition when handling valid Negotiate requests. CVE-2010-0022 is caused by an integer underflow when handling a path name in the SMB request.

The final server-side issue is CVE-2010-0231, an Important-severity remote unauthenticated elevation of privilege (EoP) affecting all versions of Windows. This issue is unusual in that it is caused by weak entropy in the cryptographic challenge values generated by SMB. An attacker could exploit this issue and gain access to the SMB server under the credentials of an authorized user.

We recommend placing higher priority on the SMB server-side update due to the risk of RCE and EoP on all systems.

What are the SMB client vulnerabilities?

The first issue is a Critical severity kernel pool memory corruption vulnerability (CVE-2010-0016) in the client SMBv1 implementation on Windows 2003 and below. The vulnerability happens during the SMB client/server negotiation phase and  does not require authentication. A remote attacker who successfully exploits this issue could gain complete control of the target system.

The second one is an Important severity race condition in the client SMBv1 code on Windows Vista and higher (CVE-2010-0017). The vulnerability is in the SMB client/server negotiation phase and does not require authentication. The severity of this issue depends on the version of Windows on the client computer:

  • On Windows Vista and Windows Server 2008 a remote attacker would not be able to gain control of a target system using this vulnerability; instead the impact would be a system DoS. However, a local authenticated user could potentially exploit this vulnerability and gain control of the system. On these platforms, the severity of this issue is Important. The update should be prioritized for Terminal Servers and other system that allow users to log on locally.
  • On Windows 7 and Windows Server 2008 R2 a remote attacker can potentially gain control of a target system using a variation of this vulnerability. Due to the RCE impact, the severity of this issue on these platforms is Critical. Unsuccessful attempts to exploit the vulnerability would result in a system DoS. This update should be applied to all affected systems due to the RCE risk; however, due to the nature of the issue, DoS is much more likely.

Why does the SMB client update have an aggregate severity of Critical on Windows 7 and Windows Server 2008 R@, but only Important on Vista and Windows Server 2008?

As outlined above, CVE-2010-0017 affects Vista and higher systems and is rated Important on Vista and Windows Server 2008. However, on Windows 7 and Windows Server 2008 R2, the severity is higher (Critical) due to the risk of RCE. The reason for this difference is a design change made during the Windows 7 development process, when the SMB client code moved to use a new kernel-mode networking I/O mechanism – Winsock Kernel (WSK). This change exposed the SMB client code to different timing conditions, exposing a race condition. This race condition is different to the issue present on Vista and Windows Server 2008, although it is reachable under similar conditions.

It should be noted that WSK is not the source of the vulnerability and no change to WSK is being made in this update.

How could a malicious user exploit the SMB client vulnerabilities?

It is important to understand that both of the vulnerabilities in MS10-006 are in the SMB client implementation and do not affect SMB server roles. (For more details regarding SMB client/server roles, see ref. 2 below) Therefore, in order to exploit this vulnerability, an attacker would have to setup a malicious SMB server and trick the client to connect to it. If your environment does not allow outbound SMB connections to the Internet (best practice), then you are protected from the Internet attack vector. A malicious user on the local network (or a compromised computer) would be able to exploit this issue by performing man-in-the-middle attacks and responding to SMB requests from clients within the Intranet.

The Internet attack vector would involve browsing to a malicious or compromised website, or receiving HTML email with embedded links to a malicious SMB server. If a victim attempted to retrieve the files or other content specified in the HTML file, an outbound SMB connection would be made and assuming SMB traffic were allowed through the perimeter firewall, the issues could be exploited.

Depending on your environment, you may not need to place a high priority on the SMB client-side update. 

We would like to thank Dustin Childs from MSRC and Kowshik Jaganathan and the Windows Sustained Engineering team for their hard work on this update.

- Bruce Dang and Mark Wodrich, MSRC Engineering

References:

1. Winsock Kernel on MSDN (http://blogs.msdn.com/wndp/archive/2006/02/24/538746.aspx)
2. SMB client/server roles (http://msdn.microsoft.com/en-us/library/aa365233(VS.85).aspx)