While I was too busy with BruCON, it seems that a SMBv2 vulnerability was published: Security Advisory 975497. While it affects Windows Vista and Server 2008, other versions are not vulnerable (including Windows 7 and Windows Server 2008 R2).
Port 445 needs to be open for the service to be exploited. Microsoft hasn't released an (out of band) patch since there was no working exploit code but promised to do so if the threat landscape changed. Blocking ports 135 and 445 is one of the recommended countermeasures. You can also disable SMBv2 through a registry key if not needed.
So far it was only possible to crash the service, but that changed today. Working code has now been added to Metasploit. Although the code still needs improvement, it worked on several machines.
So, will we see new worms coming our way? Although Conficker was well written, fortunately it wasn't really used to it's full potential. Will we be that lucky again?
Discuss vulnerabilities instead of patches at your patch meetings, because only patching doesn't cut it. Have a look at NIST's Creating a patch and vulnerability management program.
Tuesday
SMBv2 exploit for Vista and Server 2008 released
Subscribe to:
Post Comments (Atom)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment