September 8, 2009 9:20 PDT

The nCircle VERT Alert is brought to you by nCircle VERT, nCircle’s security and configuration research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today’s VERT Alert provides brief information on the Microsoft SMB Blue Screen of Death that recently surfaced.  This Denial of Service was reported to affect Windows Vista, Windows 7 and potentially Windows Server 2008. At this time, nCircle VERT has confirmed that both Windows Vista and Server 2008 are affected.

Microsoft !exploitable Crash Analyzer¹ output provides the following:

1: kd> !exploitable
Warning: Unable to read from the TEB in the current thread.
Warning: Unable to read from the TEB in the current thread.
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at srv2!Smb2ValidateProviderCallback+0x00000000000004ec (Hash=0x4f46440f.0x7c4b5e55)

The data from the faulting address is later used to determine whether or not a branch is taken.

The standard Microsoft advice of blocking access to ports 139 and 445 is a great way to mitigate this vulnerability.  Another approach for systems not requiring file, print and named-pipe sharing is to disable the Server service.

Assessing Your Systems

Current nCircle IP360 customers can determine affected systems with the following nCircle Focus™ query:

Focus query: (os:"Windows Vista" OR os:"Windows Server 2008" OR os:"Windows 7") AND app:"Direct SMB"