Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Proof of Concept code for SMBv3 zero-day leads to Blue Screens, maybe worse

    Posted on February 3rd, 2017 at 05:38 woody Comment on the AskWoody Lounge

    Computers running fully patched Windows 10, 8.1, Server 2012, and 2016 are hit by Blue Screens when trying to connect to an infected server.

    InfoWorld Woody on Windows

    Thanks to Günter Born.

    UPDATE: Ars Technica’s Dan Goodin has a damning account of the way Microsoft is handling this 0day. Well worth reading.

    ANOTHER UPDATE: Last night, Microsoft Program Manager Ned Pyle tweeted “Yes, fix is coming. I’m not allowed to say more, because Microsoft.”

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Proof of Concept code for SMBv3 zero-day leads to Blue Screens, maybe worse

    This topic contains 18 replies, has 8 voices, and was last updated by  anonymous 8 months, 2 weeks ago.

    • Author
      Posts
    • #86509 Reply

      woody
      Da Boss

      Coming soon on InfoWorld
      [See the full post at: Proof of Concept code for SMBv3 zero-day leads to Blue Screens, maybe worse]

      2 users thanked author for this post.
    • #87357 Reply

      WildBill
      AskWoody Lounger

      Thanks & Danke schoen to Gunter Born! He’s probably right that PC’s on WAN’s may be vunerable & not LAN’s or WLAN’s. I haven’t been bitten on public Wi-Fi… Yet.

      Wild Bill Rides Again...

    • #87301 Reply

      anonymous

      So what server is infected? Does it also affect Windows 7? Do you think this’ll be patched?

      • #87408 Reply

        woody
        Da Boss

        I’m certain it’ll be patched. I expect MS to issue a security alert any minute.

        What servers? I don’t know. But the Proof of Concept code is straightforward, and available on Github. That means it’s probably already in script kiddie packages.

        See https://twitter.com/dangoodin001/status/827557860687044608

      • #87485 Reply

        ch100
        AskWoody MVP

        Windows 7 does not use SMB3.
        If you are not in a network using file shares, you would not be directly affected.
        However, good practice require blocking access from the internet to ports 137, 138, 139 and 445 and most ISPs already provide this functionality by default. Many routers also enable this port blocking as basic firewall rule.
        Also you should keep the system fully patched as it is not known if a previous patch mitigates the problem or if systems other than those already documented are affected.
        Best effort is always better than inaction.

        • #87488 Reply

          anonymous

          Thank you for clarifying ch100.

    • #87452 Reply

      Noel Carboni
      AskWoody MVP

      I wonder how many people realize that “connect to an infected server”, in the context of this report, doesn’t mean the kinds of things most folks do online.

      SMB is the protocol Windows uses for file and printer sharing.

      Unless I’m missing something that other people do that I never do (using OneDrive maybe?), these are not the kinds of connections I *ever* make with “online” servers. Instead, these are the connections enterprises use in their private networks (e.g., to see files on \\SERVER\SHARE). I do use this protocol inside my company network. But of course I have protections against my internal servers being compromised.

      To put it succinctly, the “server” described that has to be compromised is not just any old web server that sends people web pages, but generally one which is inside a company or private network offering file and printer sharing.

      To not be specific about this seems to spread some unwarranted Fear, Uncertainty, and Doubt.

      https://en.wikipedia.org/wiki/Server_Message_Block

      Please, someone enlighten me as to whether there’s some component to this I’m not thinking of (e.g., under the covers in OneDrive, Skype, or one of the cloud integrations in the newer versions of Windows?).

      -Noel

      2 users thanked author for this post.
      • #87484 Reply

        PKCano
        AskWoody MVP

        I use SMB to connect to my NAS drive from my Mac. A NAS drive is actually a server.

        • #87496 Reply

          ch100
          AskWoody MVP

          A lot of people use an internal server for file sharing, but most use an “appliance”, which is a black box running a flavour of Linux hidden from the user by a fancy GUI.
          We don’t know at this stage if Linux is affected or which NAS appliances are running SMB3.

          Anyone remember Blaster?
          It looks like this is the same style of 0-day attack on port 445.

      • #88492 Reply

        woody
        Da Boss

        Correct. Somebody would have to plant the bad code on a server that your computer attaches to directly. That’s why I included Born’s explanation.

    • #87553 Reply

      Noel Carboni
      AskWoody MVP

      I use SMB to connect to my NAS drive from my Mac. A NAS drive is actually a server.

      Right. And in your case your NAS drive would have to be compromised in order for your Windows system(s) to be affected by this issue. As ch100 points out, we’re not being told how – or if – that could be done.

      This isn’t at all the same as connecting to any old web server with a web browser.

      I’m concerned that people – who might never have had enterprise computing experience or who simply don’t understand all the complexities of networking – could read more into it than there is and look in the wrong directions or just become unnecessarily upset. Computers don’t just “connect to servers” in one way. This is a case where details matter.

      Yes, I suppose you could say that any security threat that keeps online safety in the minds of the masses could be a Good Thing…

      But the thing is, incompletely stated/understood threat reports – especially those described as “zero day” – can cause people to make rash decisions. Always think about things first, and seek knowledge before acting. It’s kind of a computer version of “measure twice, cut once”.

      -Noel

      2 users thanked author for this post.
    • #88231 Reply

      fp
      AskWoody Lounger

      Did you hear the one about MS using this to push upgrade to Win10 and Edge, even though it does not require a browser to attack and Win10 is also prone to it?

      No shame.

      • #88493 Reply

        woody
        Da Boss

        Naw, not a chance. Sounds like MS was warned, didn’t react quickly enough, and got snowbagged. See the Ars Technica report.

    • #88849 Reply

      PKCano
      AskWoody MVP

      Naw, not a chance. Sounds like MS was warned, didn’t react quickly enough, and got snowbagged. See the Ars Technica report.

      Typical for M$

      • This reply was modified 8 months, 2 weeks ago by  PKCano.
    • #88839 Reply

      Goofy
      AskWoody Lounger

      Not Woody. He wouldn’t cry WOLF if there was a cute golden lab puppy at the door. I would follow Woody through the eternal flames of HELL — well, maybe JUST UP TO the flames…

      1 user thanked author for this post.
    • #88949 Reply

      Noel Carboni
      AskWoody MVP

      ANOTHER UPDATE: Last night, Microsoft Program Manager Ned Pyle tweeted “Yes, fix is coming. I’m not allowed to say more, because Microsoft.”

      We can only hope they’re not rushing it out. Much as a quick response seems necessary, it’s still important to get it right.

      • They need to completely fix the problem.
      • They need to not break anything new.
      • They need to maintain system performance.

      That’s not always easy to accomplish. We all imagine in our best hopes that it could be a simple matter of adding a line of code to compare a length field – something that requires almost no extra compute time – and voila, bug fixed. But the reality is, depending on the bug, a part of the system may need to be re-designed.

      I only bring this up at all because Microsoft has been changing the way they deliver their work to us. Today – presumably in the name of lowering costs – we’re getting software that’s been through fewer and fewer reviews and tests. From the engineers’ desks to ours. Some Windows 10 releases were built literally only a few days before becoming available to the public. There’s clearly not the professional testing being done inside Microsoft that there once was. I can’t help but think this new philosophy of quick and continuous software delivery might also influence changes to the older systems we all rely on, and as a career software engineer that worries me.

      In today’s fast moving world we need to trust patches to keep us safe, but we also need to be careful not to allow Microsoft’s questionable policies to break the systems we rely upon. Woody’s MS-DEFCON system is likely more meaningful now than ever before.

      -Noel

      1 user thanked author for this post.
    • #91516 Reply

      anonymous

      Can anyone tell me what the actual STOP code is on the BSOD, not just the triggered file (mrxsmb20.sys)? I’d love to have an alert setup to let me know if any of my systems start generating this crash, just need to know exactly how it presents itself…

    • #88950 Reply

      Noel Carboni
      AskWoody MVP

      Even if it didn’t happen, it’s pretty clear that people expect it to happen.

      That’s the downside of acting like a predator. People lose trust. Better get used to it – that trust is not coming back soon.

      Good morning – there IS a downside to using up a company’s reputation in the name of Marketing.

      -Noel

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Proof of Concept code for SMBv3 zero-day leads to Blue Screens, maybe worse

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: