1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. OS Attack: MS SMB2 Validate Provider Callback CVE-2009-3103

OS Attack: MS SMB2 Validate Provider Callback CVE-2009-3103

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature will detect attempts to exploit a Denial of Service Vulnerability in Microsoft Windows Vista.

Additional Information

Server Message Block 2 (SMB2) is a newer version of the SMB protocol. SMB2 was introduced in Microsoft Windows Vista.

Windows is prone to a remote code-execution vulnerability when processing the protocol headers for the SMB Negotiate Protocol Request. This issue affects the '_Smb2ValidateProviderCallback()' function in the 'srv2.sys' driver. Specifically, the software fails to sufficiently validate the 'Process ID High' header field contained in an SMB2 request before using it to construct a pointer into a function table.

NOTE: Reportedly, for this issue to be exploitable, file sharing must be enabled.

An attacker can exploit this issue to execute code with SYSTEM-level privileges; failed exploit attempts will likely cause denial-of-service conditions.

Windows 7 RC, Vista and 2008 Server are vulnerable; other versions may also be affected.

NOTE: Reportedly, Windows XP and 2000 are not affected.

UPDATE (September 9, 2009): Symantec has confirmed the issue on Windows Vista SP1 and Windows Server 2008.

Affected

  • Windows 7 RC, Vista and 2008 Server are vulnerable; other versions may also be affected.

Response

The vendor released an update to address this issue. Please see the references for more information.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube