Executive Summary
Summary | |
---|---|
Title | Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) |
Informations | |||
---|---|---|---|
Name | MS09-050 | First vendor Publication | 2009-10-13 |
Vendor | Microsoft | Last vendor Modification | 2009-10-14 |
Severity (Vendor) | Critical | Revision | 1.1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Revision Note: V1.1 (October 14, 2009): Clarified the entry, "When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?" in the section, FAQ for SMBv2 Negotiation Vulnerability |
Original Source
Url : http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-399 | Resource Management Errors |
33 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:5595 | |||
Oval ID: | oval:org.mitre.oval:def:5595 | ||
Title: | SMBv2 Infinite Loop Vulnerability | ||
Description: | Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 do not properly validate fields in SMBv2 packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted packet to the Server service, aka "SMBv2 Infinite Loop Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-2526 | Version: | 3 |
Platform(s): | Microsoft Windows Vista Microsoft Windows Server 2008 | Product(s): | SMBv2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:6336 | |||
Oval ID: | oval:org.mitre.oval:def:6336 | ||
Title: | SMBv2 Command Value Vulnerability | ||
Description: | Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC do not properly process the command value in an SMB Multi-Protocol Negotiate Request packet, which allows remote attackers to execute arbitrary code via a crafted SMBv2 packet to the Server service, aka "SMBv2 Command Value Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-2532 | Version: | 3 |
Platform(s): | Microsoft Windows Vista Microsoft Windows Server 2008 | Product(s): | SMBv2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:6489 | |||
Oval ID: | oval:org.mitre.oval:def:6489 | ||
Title: | SMBv2 Negotiation Vulnerability | ||
Description: | Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-3103 | Version: | 3 |
Platform(s): | Microsoft Windows Vista Microsoft Windows Server 2008 | Product(s): | SMBv2 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
SAINT Exploits
Description | Link |
---|---|
Windows SMB2 buffer overflow | More info here |
ExploitDB Exploits
id | Description |
---|---|
2010-07-03 | Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference |
OpenVAS Exploits
Date | Description |
---|---|
2009-10-15 | Name : Microsoft Windows SMB2 Negotiation Protocol Remote Code Execution Vulnerability File : nvt/secpod_ms09-050-remote.nasl |
2009-10-01 | Name : Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Executio... File : nvt/ms_smb2_highid.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
58876 | Microsoft Windows SMB Packet Command Value Handling Remote Code Execution Windows contains a flaw that may allow a malicious user to execute remote code. The issue is triggered when a malicious user sends a specially crafted SMB Multi-Protocol Negotiate Request packet with a command value which Windows cannot process. It is possible that the flaw may allow execute remote code resulting in a loss of integrity. |
58875 | Microsoft Windows SMBv2 Packet Handling Infinitie Loop Remote DoS Windows contains a flaw that may allow a remote denial of service. The issue is triggered when a malicious user submits a specially crafted SMBv2 packet causing an infinite loop, and will result in loss of availability for the platform. |
57799 | Microsoft Windows srv2.sys Kernel Driver SMB2 Malformed NEGOTIATE PROTOCOL RE... Microsoft Windows contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when a malicious user sends a specially crafted NEGOTIATE PROTOCOL REQUEST SMBv2 packet with an & (ampersand) character in a Process ID High header field, causing an attempted dereference of an out-of-bounds memory location. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity. |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Microsoft Windows SMB malformed process ID high field denial of service attempt RuleID : 26643 - Revision : 6 - Type : OS-WINDOWS |
2014-01-10 | Microsoft Windows SMBv2 integer overflow denial of service attempt RuleID : 16168 - Revision : 9 - Type : OS-WINDOWS |
2014-01-10 | Microsoft Windows SMB malformed process ID high field remote code execution a... RuleID : 15930 - Revision : 23 - Type : OS-WINDOWS |
Metasploit Database
id | Description |
---|---|
2009-09-07 | MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference |
2020-05-23 | Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference |
2020-05-23 | Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-10-13 | Name : The remote SMB server can be abused to execute code remotely. File : smb_nt_ms09-050.nasl - Type : ACT_GATHER_INFO |
2009-09-08 | Name : Arbitrary code may be executed on the remote host through the SMB port File : smb2_pid_high_vuln.nasl - Type : ACT_ATTACK |
Alert History
Date | Informations |
---|---|
2020-05-23 13:17:13 |
|
2016-03-06 09:24:50 |
|
2016-03-06 05:24:18 |
|
2016-03-05 21:25:10 |
|
2016-03-05 17:24:18 |
|
2014-02-17 11:46:20 |
|
2014-01-19 21:30:22 |
|