=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN351
_____________________________________________________________________

DATE                      : 08/09/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows Vista, Windows Server 2008, Windows 7 RC
                             running SMB 2.0.

======================================================================
http://blogs.technet.com/msrc/default.aspx
http://www.microsoft.com/technet/security/advisory/975497.mspx
______________________________________________________________________

Microsoft Security Advisory 975497 Released
Posted Tuesday, September 08, 2009 4:35 PM by MSRCTEAM

We’ve just released Microsoft released Security Advisory 975497 that
provides information about a new, irresponsibly reported vulnerability
in SMB 2.0. Our investigation has shown that Windows Vista, Windows Server 2008
and Windows 7 RC are affected by this vulnerability. Windows 7 RTM,
Windows Server 2008 R2, Windows XP and Windows 2000 are not affected by *
this vulnerability.

The Security Advisory outlines steps that Windows Vista and Windows Server 2008
customers can take to help protect themselves while we work on a security
update for this issue.

As always, we’ve provided information through Microsoft Active Protections
Program (MAPP) as well as the Microsoft Security Response Alliance (MSRA)
that they can use to help provide broader protections to customers.

We will update you through our security advisory and the MSRC Weblog as we
have new information.

Thanks

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*

_____________________________________________________________________________

Microsoft Security Advisory (975497)

Vulnerabilities in SMB Could Allow Remote Code Execution

  Published: September 08, 2009

  Version: 1.0

General Information

Executive Summary

  Microsoft is investigating new public reports of a possible vulnerability in
  Microsoft Server Message Block (SMB) implementation. We are not aware of
  attacks that try to use the reported vulnerabilities or of customer impact
  at this time.

  We are actively working with partners in our Microsoft Active Protections
  Program (MAPP) to provide information that they can use to provide broader
  protections to customers.

  Upon completion of this investigation, Microsoft will take the appropriate
  action to help protect our customers. This may include providing a security
  update through our monthly release process or providing an out-of-cycle
  security update, depending on customer needs.

  Microsoft is concerned that this new report of a vulnerability was not
  responsibly disclosed, potentially putting computer users at risk. We
  continue to encourage responsible disclosure of vulnerabilities. We believe
  the commonly accepted practice of reporting vulnerabilities directly to a
  vendor serves everyone's best interests. This practice helps to ensure that
  customers receive comprehensive, high-quality updates for security
  vulnerabilities without exposure to malicious attackers while the update is
  being developed.

Affected Software

  Windows Vista, Windows Vista Service Pack 1,
  and Windows Vista Service Pack 2

  Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1,
  and Windows Vista x64 Edition Service Pack 2

  Windows Server 2008 for 32-bit Systems
  and Windows Server 2008 for 32-bit Systems Service Pack 2

  Windows Server 2008 for x64-based Systems
  and Windows Server 2008 for x64-based Systems Service Pack 2

  Windows Server 2008 for Itanium-based Systems
  and Windows Server 2008 for Itanium-based Systems Service Pack 2

Mitigating Factors

  Mitigation refers to a setting, common configuration, or general
  best-practice, existing in a default state, that could reduce the severity of
  this issue. The following mitigating factors may be helpful in your situation:
	
  * Firewall best practices and standard default firewall configurations can
    help protect networks from attacks that originate outside the enterprise
    perimeter. Best practices recommend that systems that are connected to the
    Internet have a minimal number of ports exposed. In this case, the SMB
    ports should be blocked from the Internet.	

  * In Windows Vista, if the network profile is set to "Public", the system is
    not affected by this vulnerability, since unsolicited inbound network
    packets are blocked by default.
	
  * Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability.

Workarounds

  Workaround refers to a setting or configuration change that does not correct
  the underlying issue but would help block known attack vectors before you
  apply the update. Microsoft has tested the following workarounds and states
  in the discussion whether a workaround reduces functionality:
	

  * Disable SMB v2

    To modify the registry key, perform the following steps:

    Note Using Registry Editor incorrectly can cause serious problems that may
    require you to reinstall your operating system. Microsoft cannot guarantee
    that problems resulting from the incorrect use of Registry Editor can be
    solved. Use Registry Editor at your own risk. For information about how to
    edit the registry, view the "Changing Keys And Values" Help topic in
    Registry Editor (Regedit.exe) or view the "Add and Delete Information in
    the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

    1. Click Start, click Run, type Regedit in the Open box, and then
       click OK.

    2. Locate and then click the following registry subkey:

       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

    3. Click LanmanServer.

    4. Click Parameters.

    5. Right-click to add a new DWORD (32 bit) Value.

    6. Enter smb2 in the Name data field, and change the Value data field
       to 0.

    7. Exit.

    8. Restart the "Server" service. You can do this in two ways:

    9. Open up the computer management MMC, navigate to Services and
       Applications, click Services, right-click the Server service name and
       click Restart. Answer Yes in the pop-up menu.

    10. From a command prompt with administrator privileges, type net stop
        server and then net start server.

  Impact of workaround. Host will not be able to communicate using SMB2.

  How to undo the workaround:

    1. Click Start, click Run, type Regedit in the Open box, and then click OK.

    2. Locate and then click the following registry subkey:

       HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

    3. Click LanmanServer.

    4. Click Parameters.

    5. Double-click smb2, and change the Value data field to 1.

    6. Exit.

    7. Restart the "Server" service. You can do this in two ways:

    8. Open up the computer management MMC, navigate to Services and
       Applications, click Services, right-click the Server service name and
       click Restart. Answer Yes in the pop-up menu.

    9. From a command prompt with administrator privileges, type net stop server
       and then net start server.
	

  * Block TCP ports 139 and 445 at the firewall

    These ports are used to initiate a connection with the affected component.
    Blocking TCP ports 139 and 445 at the firewall will help protect systems
    that are behind that firewall from attempts to exploit this vulnerability.
    Microsoft recommends that you block all unsolicited inbound communication from
    the Internet to help prevent attacks that may use other ports. For more
    information about ports, see TCP and UDP Port Assignments. [1]

  Impact of Workaround: Several Windows services use the affected ports. Blocking
  connectivity to the ports may cause various applications or services to not
  function. Some of the applications or services that could be impacted are listed
  below:
	

  * Applications that use SMB (CIFS)
	
  * Applications that use mailslots or named pipes (RPC over SMB)

  * Server (File and Print Sharing)
	
  * Group Policy
	
  * Net Logon
	
  * Distributed File System (DFS)
	
  * Terminal Server Licensing
	
  * Print Spooler

  * Computer Browser
	
  * Remote Procedure Call Locator
	
  * Fax Service
	
  * Indexing Service
	
  * Performance Logs and Alerts
	
  * Systems Management Server
	
  * License Logging Service

  How to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. For
  more information about ports, see TCP and UDP Port Assignments. [1]

 [1] TCP and UDP Port Assignments.
     http://go.microsoft.com/fwlink/?LinkId=21312



======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================