Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft SMBv2 Vulnerabilities

(MS09-050, CVE-2009-2526, CVE-2009-3103, CVE-2009-2532)

Several vulnerabilities pertaining to Microsoft Windows SMBv2 have been reported this month in MS09-050. A remote attacker may exploit these vulnerabilities to take complete control of an affected system.

SMB (Server Message Block) is a remote file protocol used by default by Microsoft Windows clients and servers. SMB Version 2.0 (SMBv2) is an update to this protocol and is supported only by computers running Windows Server 2008 and Windows Vista. SMBv2 can only be used if both client and server support it. If either client or server cannot support SMBv2, the SMB 1.0 protocol will be used instead.

Attack Details

CVE-2009-2526 This denial of service vulnerability is due to an error in the Microsoft Server Message Block (SMB) implementation that fails to sufficiently validate all fields when parsing specially crafted SMBv2 packets. A remote attacker could exploit this flaw via a specially crafted network message. While this will not "crash" the machine, it can consume all CPU time and require a reboot.

Check Point protects against attacks that use this vulnerability through its integrated IPS products, IPS Software Blade, and SmartDefense. This protection will detect and block malformed SMBv2 packets. See CPAI-2009-212.

CVE-2009-3103, CVE-2009-2532 This vulnerability is due to a memory corruption error in the Microsoft Server Message Block (SMB) implementation that by incorrectly indexing an array when handling specially crafted SMB packets, fails to properly parse SMB negotiation requests. A remote attacker could exploit this flaw via a specially crafted SMB negotiation request. Successful exploitation could cause a denial of service condition and may allow execution of arbitrary code on the target system.

Check Point’s IPS products, IPS Software Blade, SmartDefense, and IPS-1, have protected against attacks that use this vulnerability since September 10th. These protections will detect and block malformed SMB negotiation requests. For more information, see CPAI-2009-194.