Protection against Microsoft Windows Server Message Block (SMB) Buffer Overflow Vulnerability (MS05-027)
| Attack ID: | CPAI-2005-111 |
 |
|
| Publish Date: | |
|
|
| Category: | Microsoft Windows Networks |
|
|
| Vulnerable Systems: | Microsoft Windows 2000 SP3 and SP4 Microsoft Windows XP SP1 and SP2 Microsoft Windows XP 64-Bit Edition Version 2003 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 and 2003 SP1 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition |
|
|
| Source: | Microsoft Security Bulletin MS05-027 |
|
|
| Description: | The Server Message Block (SMB) protocol, and its more recent version Common Internet File System (CIFS), is the protocol used by Microsoft Windows to communicate between computers and to share files and printers. A vulnerability exists in Microsoft's implementation of the SMB protocol, allowing a remote attacker to execute arbitrary code on an affected system by sending specially crafted SMB packets. |
|
|
| Severity: | |
| Details: | The vulnerability resides in the implementation of Server Message Block (SMB). The affected products do not perform sufficient validation on the length of SMB network messages. An attacker could try to exploit this vulnerability by creating a series of specially crafted messages and sending them to an affected system. The messages could then cause the affected system to execute code. An attacker could also use another program that passes parameters to the vulnerable component either locally or remotely. |
|
|
| Attack Detection: | Users of VPN-1 NG with Application Intelligence R55W, users of VPN-1 NGX R60 and users of InterSpect will identify the attack by the following log entries: Attack Name: Windows SMB Protection Violation Attack Information: Buffer Overflow AttemptUsers of VPN-1 NG with Application Intelligence R55 will identify rule 92101 on the SmartView Tracker screen. |
|
|
| Solution: | Users of VPN-1 NG with Application Intelligence R55 and R55W, users of VPN-1 NGX R60 and users of InterSpect should update their SmartDefense by clicking Online Update (R55 - Update Now) in the SmartDashboard General window. The Update blocks this vulnerability by validating the length of the largest possible message (MaxBufferSize), a session attribute negotiated between the SMB client and server components. To enable the protection: 1. On the SmartDefense navigation tree, click Application Intelligence > Microsoft Networks and enable Block SMB Server Buffer Overflow.  2. Install security policy on all modules. |
|
|
| Industry Reference: | CAN-2005-1206 |
|
|
| Additional Information: | |