Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft SMB NTLM Authentication Lack of Entropy Vulnerability (MS10-012)

Subscribe

Check Point Reference: CPAI-2010-029
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS10-012
Industry Reference(s): CVE-2010-0231
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Microsoft Windows 2000 SP4
Windows XP SP2
Windows XP SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Server 2003 with SP2 (Itanium)
Windows Vista
Windows Vista SP1
Windows Vista SP2
Windows Vista x64 Edition
Windows Vista x64 Edition SP1
Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for 32-bit Systems SP2
Windows Server 2008 for x64-based Systems
Windows Server 2008 for x64-based Systems SP2
Windows Server 2008 (Itanium)
Windows Server 2008 (Itanium) SP2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 (Itanium)
Vulnerability Description
An elevation of privilege vulnerability has been reported in the way that Microsoft Server Message Block (SMB) Protocol software handles authentication attempts. The SMB Protocol is a network file sharing protocol that is implemented in Microsoft Windows. A remote attacker may exploit this issue to gain access to the SMB service under the privileges of a specific authorized user.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS10-012
Vulnerability Details
The vulnerability is due to a lack of cryptographic entropy when the SMB server generates challenges and presents them to a connecting client. An attacker could trigger this issue by continuously attempting to authenticate against the SMB server and subsequently causing that server to generate duplicate values. This attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending large amounts of authentication requests to the SMB server. Successful exploitation of this issue may allow the attacker to upload and download files, and access SMB network resources available to the user whose account the attacker is able to access.

Protection Overview
This protection will detect and block multiple SMB requests attempting to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Microsoft Networks.
2. In the right pane, double-click the following protection:

Microsoft SMB NTLM Authentication Lack of Entropy (MS10-012)

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Windows SMB Protection Violation
Attack Information: Microsoft SMB NTLM authentication lack of entropy (MS10-012)

VPN-1 NGX R65 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Microsoft Networks > Microsoft SMB NTLM Authentication Lack of Entropy (MS10-012).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Windows SMB Protection Violation
Attack Information: Microsoft SMB NTLM authentication lack of entropy (MS10-012)

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Security > SMB, and select the SMB Compliance protection group.
3. Click Microsoft SMB NTLM Authentication Lack of Entropy (MS10-012) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?

Upon attack, the following entries will be logged:

Alert Name: SMB Compliance
Description: Microsoft SMB NTLM Authentication Lack of Entropy (MS10-012)