1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content




Microsoft SMB Client Vulnerabilities Could Allow Remote Code Execution

Report ID: SA201106600
Source: F-Secure
Date of Discovery: 12.04.2011
Criticality: Critical
Affects:
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2

Compromise From: From remote
From local network
Compromise Type: Remote code execution

Summary

Two vulnerabilities involving browser messages parsing and SMB responses validation could allow the execution of arbitrary code on affected systems. 

Detailed Description

Microsoft released a security update to resolve two reported vulnerabilities involving browser message parsing and SMB responses validation. Each vulnerability could lead to unauthenticated remote code execution, and potentially allow an attacker to gain system access.

 

Browser pool corruption vulnerability (CVE-2011-0654)

When CIFS Browser Protocol implementation improperly parses browser messages, a memory corruption that occurs may allow an attacker to execute code with system-level privileges. Most exploit attempts would cause the system to stop responding and restart, but a successful exploit of this vulnerability could allow an attacker to take complete control of an affected system.

 

SMB client response parsing vulnerability (CVE-2011-0660)

When SMB responses are improperly validated by SMB client implementation, an unauthenticated remote code execution vulnerability may occur. Most exploit attempts would cause the system to stop responding and restart, but a successful exploit of this vulnerability could allow an attacker to take complete control of an affected system.

 

The vulnerability issues have been resolved in the update by correcting the way CIFS Browser handles browser messages and the way SMB responses are validated. Users are recommended to install the latest update for applicable system.

Solution

Install the latest patch for applicable system, available for download from (http://www.microsoft.com/technet/security/Bulletin/MS11-019.mspx)

Original Reference

CVE Reference

CVE-2011-0654
CVE-2011-0660