Executive Summary

Summary
Title Microsoft Updates for Multiple SMB Protocol Vulnerabilities
Informations
Name TA09-013A First vendor Publication 2009-01-13
Vendor US-CERT Last vendor Modification 2009-01-13
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Microsoft has released updates that address vulnerabilities in Microsoft Windows and Windows Server.

I. Description

In their bulletin for January 2009, Microsoft released updates to address vulnerabilities in the Server Message Block (SMB) Protocol that affects all supported versions Microsoft Windows.

II. Impact

A remote, unauthenticated attacker could gain elevated privileges, execute arbitrary code, or cause a denial of service.

III. Solution

Microsoft has provided updates for this vulnerability in the Microsoft Security Bulletin Summary for January 2009. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should also consider using an automated update distribution system such as Windows Server Update Services (WSUS).

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA09-013A.html

CAPEC : Common Attack Pattern Enumeration & Classification

Id Name
CAPEC-3 Using Leading 'Ghost' Character Sequences to Bypass Input Filters
CAPEC-7 Blind SQL Injection
CAPEC-8 Buffer Overflow in an API Call
CAPEC-9 Buffer Overflow in Local Command-Line Utilities
CAPEC-10 Buffer Overflow via Environment Variables
CAPEC-13 Subverting Environment Variable Values
CAPEC-14 Client-side Injection-induced Buffer Overflow
CAPEC-18 Embedding Scripts in Nonscript Elements
CAPEC-22 Exploiting Trust in Client (aka Make the Client Invisible)
CAPEC-24 Filter Failure through Buffer Overflow
CAPEC-28 Fuzzing
CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies
CAPEC-32 Embedding Scripts in HTTP Query Strings
CAPEC-42 MIME Conversion
CAPEC-43 Exploiting Multiple Input Interpretation Layers
CAPEC-45 Buffer Overflow via Symbolic Links
CAPEC-46 Overflow Variables and Tags
CAPEC-47 Buffer Overflow via Parameter Expansion
CAPEC-52 Embedding NULL Bytes
CAPEC-53 Postfix, Null Terminate, and Backslash
CAPEC-63 Simple Script Injection
CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC-66 SQL Injection
CAPEC-67 String Format Overflow in syslog()
CAPEC-71 Using Unicode Encoding to Bypass Validation Logic
CAPEC-72 URL Encoding
CAPEC-73 User-Controlled Filename
CAPEC-78 Using Escaped Slashes in Alternate Encoding
CAPEC-79 Using Slashes in Alternate Encoding
CAPEC-80 Using UTF-8 Encoding to Bypass Validation Logic
CAPEC-81 Web Logs Tampering
CAPEC-83 XPath Injection
CAPEC-85 Client Network Footprinting (using AJAX/XSS)
CAPEC-86 Embedding Script (XSS ) in HTTP Headers
CAPEC-88 OS Command Injection
CAPEC-91 XSS in IMG Tags
CAPEC-99 XML Parser Attack
CAPEC-101 Server Side Include (SSI) Injection
CAPEC-104 Cross Zone Scripting
CAPEC-106 Cross Site Scripting through Log Files
CAPEC-108 Command Line Execution through SQL Injection
CAPEC-109 Object Relational Mapping Injection
CAPEC-110 SQL Injection through SOAP Parameter Tampering
CAPEC-171 Variable Manipulation

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-399 Resource Management Errors
33 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
33 % CWE-94 Failure to Control Generation of Code ('Code Injection')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5248
 
Oval ID: oval:org.mitre.oval:def:5248
Title: SMB Validation Remote Code Execution Vulnerability
Description: SMB in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via malformed values of unspecified "fields inside the SMB packets" in an NT Trans2 request, related to "insufficiently validating the buffer size," aka "SMB Validation Remote Code Execution Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2008-4835
Version: 2
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5262
 
Oval ID: oval:org.mitre.oval:def:5262
Title: Microsoft Windows WRITE_ANDX SMB command handling Kernel DoS
Description: srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2008-4114
Version: 1
Platform(s): Microsoft Windows Vista
Product(s): Microsoft Windows Vista
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5863
 
Oval ID: oval:org.mitre.oval:def:5863
Title: SMB Buffer Overflow Remote Code Execution Vulnerability
Description: Buffer overflow in SMB in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via malformed values of unspecified "fields inside the SMB packets" in an NT Trans request, aka "SMB Buffer Overflow Remote Code Execution Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2008-4834
Version: 1
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6044
 
Oval ID: oval:org.mitre.oval:def:6044
Title: SMB Validation Denial of Service Vulnerability
Description: srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2008-4114
Version: 1
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 1
Os 4
Os 3
Os 6
Os 6

OpenVAS Exploits

Date Description
2010-03-18 Name : Vulnerabilities in SMB Could Allow Remote Code Execution (958687) - Remote
File : nvt/secpod_ms09-001_remote.nasl
2009-01-14 Name : Vulnerabilities in SMB Could Allow Remote Code Execution (958687)
File : nvt/secpod_ms09-001.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
52692 Microsoft SMB NT Trans2 Request Parsing Unspecified Remote Code Execution

52691 Microsoft SMB NT Trans Request Parsing Overflow Remote Code Execution

48153 Microsoft Windows srv.sys WRITE_ANDX SMB Packet Handling Remote DoS

Windows contains a flaw that may allow a remote denial of service. The issue is triggered when the kernel processes malformed WRITE_ANDX SMB packets, and will result in loss of availability for the platform.

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt
RuleID : 15227 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt
RuleID : 15226 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 andx param_count underflow attempt
RuleID : 15225 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 unicode andx param_count underflow attempt
RuleID : 15224 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 unicode param_count underflow attempt
RuleID : 15223 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt
RuleID : 15222 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 param_count underflow attempt
RuleID : 15221 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 unicode param_count underflow attempt
RuleID : 15220 - Revision : 16 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow att...
RuleID : 15219 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt
RuleID : 15218 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 unicode andx max_param_count underflow att...
RuleID : 15217 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 andx max_param_count underflow attempt
RuleID : 15216 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt
RuleID : 15215 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt
RuleID : 15214 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 unicode max_param_count underflow attempt
RuleID : 15213 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB Trans2 OPEN2 max_param_count underflow attempt
RuleID : 15212 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt
RuleID : 15211 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE andx max_param_count underflow attempt
RuleID : 15210 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underfl...
RuleID : 15209 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE unicode andx max_param_count underfl...
RuleID : 15208 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt
RuleID : 15207 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE max_param_count underflow attempt
RuleID : 15206 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow at...
RuleID : 15205 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE unicode max_param_count underflow at...
RuleID : 15204 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt
RuleID : 15203 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow a...
RuleID : 15202 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE andx param_count underflow attempt
RuleID : 15201 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE unicode andx param_count underflow a...
RuleID : 15200 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt
RuleID : 15199 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE unicode param_count underflow attempt
RuleID : 15198 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE param_count underflow attempt
RuleID : 15197 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows SMB NT Trans NT CREATE unicode param_count underflow attempt
RuleID : 15196 - Revision : 16 - Type : OS-WINDOWS
2014-01-10 SMB write_andx overflow attempt
RuleID : 10161 - Revision : 9 - Type : NETBIOS

Nessus® Vulnerability Scanner

Date Description
2009-01-13 Name : It may be possible to execute arbitrary code on the remote host due to a flaw...
File : smb_nt_ms09-001.nasl - Type : ACT_GATHER_INFO