BSOD caused by the zero-day
BSOD caused by the zero-day (Source: ISC SANS)

Proof-of-concept code for a zero-day in the SMB (Server Message Block) protocol that affects several Windows versions has been published online today, sending sysadmins into a frenzy to protect vulnerable machines.

The SMB zero-day affects several Windows OS versions, such as Windows 10, 8.1, Server 2012, and Server 2016.

The United States Computer Emergency Readiness Team (US-CERT) published an official advisory a few hours ago.

Zero-day leads to BSOD, maybe worse

According to US-CERT experts, the zero-day leads to a Denial-of-Service state that crashes the operating system, and could potentially open the machine to allow attackers to execute arbitrary code with Windows kernel privileges, albeit this scenario has not been officially confirmed yet.

US-CERT specialists describe the issue as follows:

Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys.

US-CERT tests confirmed the issue affects Windows 8.1 and Windows 10. Laurent Gaffié, a security researcher that goes on Twitter by the handle @PythonResponder and who disclosed the zero-day's existence, claims it also works against Windows Server 2012 and Windows Server 2016.

Zero-day receives maximum severity score

The zero-day has received a CVSS base severity score of 10 out of 10. The score means the issue is easy to weaponize by unskilled attackers and can be exploited remotely.

The good news is that the exploitation chain relies on social engineering, as it requires users to click on a link and connect to a remote SMB server. Most attacks could be spotted by proper employee training. Enterprise users are the most likely to fall for these attacks, as they connect to network-shared resources on a daily basis.

There's no fix for this issue, but Microsoft will release a patch with the next Patch Tuesday updates, on February 14. US-CERT recommends that sysadmins block "outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN," which will block users from connecting to Internet-based SMB servers. This limits the zero-day's effect to rogue SMB servers hosted on the same network, a less likely exploitation scenario.

SMB is an ancient protocol that is used in local networks to allow computers access to files, printers, and serial ports and miscellaneous communications between nodes on a network.

There are three versions of this protocol, and Microsoft, through the voice of one of its engineers, has urged system administrators to disable SMBv1 and move to SMBv2 or SMBv3 (preferred). The zero-day affects the latest version, SMBv3.

Update: Article updated with information on Microsoft's planned patch.