Vulnerability Note VU#867968

Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. It is not clear at this point whether this vulnerability may be exploitable beyond a denial-of-service attack. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems.

Note that there are a number of techniques that can be used to trigger a Windows system to connect to an SMB share. Some may require little to no user interaction.

Exploit code for this vulnerability is publicly available.

By causing a Windows system to connect to a malicious SMB share, a remote attacker may be able to cause a denial of service or potentially execute arbitrary code with Windows kernel privileges.

The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds:

Block outbound SMB

Consider blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.