=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN460
_____________________________________________________________________

DATE                      : 16/11/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows 7, Windows Server 2008 running
                              SMBv1, SMBv2.

======================================================================
http://blogs.technet.com/msrc/archive/2009/11/13/microsoft-security-advisory-977544-released.aspx
http://www.microsoft.com/technet/security/advisory/977544.mspx
______________________________________________________________________


Friday, November 13, 2009 3:08 PM by MSRCTEAM
Microsoft Security Advisory 977544 Released

Today we released Security Advisory 977544 to provide information,
including customer guidance, on a publicly reported Denial-of-Service (DoS)
vulnerability affecting Server Messaging Block (SMB) Protocol. This
vulnerability, in SMBv1 and SMBv2, affects  Windows 7 and
Windows Server 2008 R2. Windows Vista, Windows Server 2008, Windows XP,
Windows Server 2003 and Windows 2000 are not affected.



I want to be clear that this is a DoS vulnerability that is unrelated
to Microsoft Security Bulletin MS09-050 which addressed a remote code
execution vulnerability in the SMBv2 protocol. This vulnerability
would not allow an attacker to take control or install malware on a
user’s system, but could cause the affected system to stop responding
until manually restarted.

We are actively monitoring this situation to keep customers informed and
will provide additional guidance as necessary. While we are not currently
aware of active attacks, we continue to recommend customers review the
mitigations and workarounds detailed in the Security Advisory to protect
themselves as we work to develop a comprehensive security update.

As always, we are working with our Microsoft Active Protections Program
(MAPP) partners to help provide broader protections for customers and as
we become aware of new information, we’ll provide additional updates as
appropriate through the Security Advisory and the MSRC blog.

As always, we continue to encourage the responsible disclosure of
vulnerabilities to help ensure customers receive high-quality security
updates without exposure to malicious attacks.


Thanks,

Mike Reavey

________________________________________________________________________

Microsoft Security Advisory (977544)

Vulnerability in SMB Could Allow Denial of Service

   Published: November 13, 2009

   Version: 1.0

General Information

Executive Summary

   Microsoft is investigating new public reports of a possible denial of
   service vulnerability in the Server Message Block (SMB) protocol. This
   vulnerability cannot be used to take control of or install malicious
   software on a users system. However, Microsoft is aware that detailed
   exploit code has been published for the vulnerability. Microsoft is not
   currently aware of active attacks that use this exploit code or of
   customer impact at this time. Microsoft is actively monitoring this
   situation to keep customers informed and to provide customer guidance as
   necessary.

Affected Software

   Windows 7 for 32-bit Systems
   Windows 7 for x64-based Systems
   Windows Server 2008 R2 for x64-based Systems*
   Windows Server 2008 R2 for Itanium-based Systems

   *Server Core installation affected.

Workarounds

   Block TCP ports 139 and 445 at the firewall

   These ports are used to initiate a connection with the affected component.
   Blocking TCP ports 139 and 445 at the firewall will help protect systems
   that are behind that firewall from attempts to exploit this vulnerability.
   Microsoft recommends that you block all SMB communications to and from the
   Internet to help prevent attacks. For more information about ports, see
   TCP and UDP Port Assignments.

   Impact of Workaround: Several Windows services use the affected ports.
   Blocking connectivity to the ports may cause various applications or
   services to not function. Some of the applications or services that could
   be impacted are listed below:
	
   Applications that use SMB (CIFS)
   Applications that use mailslots or named pipes (RPC over SMB)
   Server (File and Print Sharing)
   Group Policy
   Net Logon
   Distributed File System (DFS)
   Terminal Server Licensing
   Print Spooler
   Computer Browser
   Remote Procedure Call Locator
   Fax Service
   Indexing Service
   Performance Logs and Alerts
   Systems Management Server
   License Logging Service

   How to undo the workaround. Unblock TCP ports 139 and 445 at the firewall.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================