Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft SMB Client Vulnerabilities
IPS Forum

(MS10-020)

Several vulnerabilities have been identified in Microsoft Server Message Block (SMB), a network file sharing protocol, that could allow remote code execution. One, CVE-2009-3676, has been public for five months and was the first confirmed zero-day vulnerability in Windows 7. See Microsoft Security Advisory 977544. Check Point has provided immediate protection since November 17, 2009.

Server Message Block (SMB) is a network file sharing protocol that enables sharing resources - files, printers and serial ports between users on the network. Microsoft Windows clients use the SMB protocol to provide access to shared Windows resources such as files and printers. On internal LANs or subnets across the Internet that are often comprised of hundreds or thousands of personal workstations running Microsoft Windows, SMB can account for the majority of traffic passed between hosts.

These protections detect and block malformed SMB packets. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a malicious SMB server.

Microsoft SMB Endless Loop Denial of Service (CVE-2009-3676)
A denial of service vulnerability has been reported in the way that Microsoft Server Message Block (SMB) protocol software handles specially crafted SMB packets. The vulnerability is due to an error in the Microsoft Server Message Block (SMB) implementation that fails to sufficiently validate all fields when parsing specially crafted SMB packets. CPAI-2009-296.

Microsoft SMB Client Transaction Memory Corruption (CVE-2010-0270)
A remote code execution vulnerability has been reported in the Microsoft Windows Server Message Block (SMB) client implementation. The vulnerability is due to an error in the Microsoft SMB client implementation that fails to properly validate fields in the SMB response. CPAI-2010-065.

Microsoft SMB Client Memory Allocation Memory Corruption (CVE-2010-0269)
An elevation of privilege vulnerability has been reported in the Microsoft Windows Server Message Block (SMB) client implementation. The vulnerability is due to an error in the Microsoft SMB client implementation that fails to properly allocate memory when parsing specially crafted SMB responses. CPAI-2010-064.

Microsoft SMB Client Message Size Remote Code Execution (CVE-2010-0477)
A remote code execution vulnerability has been reported in the Microsoft Windows Server Message Block (SMB) client implementation. The vulnerability is due to an error in the Microsoft SMB client implementation that fails to properly handle specially crafted SMB responses that cause the SMB client to consume the entire response and indicate an invalid value to the Winsock kernel. CPAI-2010-063.

Microsoft SMB Client Response Parsing Memory Corruption Vulnerability (CVE-2010-0476)
The vulnerability is due to an error in the Microsoft SMB client implementation that fails to properly parse specially crafted SMB transaction responses. A remote attacker could exploit this flaw by hosting a malicious SMB server that is designed to exploit this vulnerability and then convince a user to initiate an SMB connection with it. Successful exploitation may allow execution of arbitrary code on the target system. CPAI-2010-061.