{"vuid":"VU#867968","idnumber":"867968","name":"Microsoft Windows SMB Tree Connect Response denial of service vulnerability","keywords":["SMB","mrxsmb20.sys"],"overview":"Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system.","clean_desc":"Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2. Note that there are a number of techniques that can be used to trigger a Windows system to connect to an SMB share. Some may require little to no user interaction. Exploit code for this vulnerability is publicly available.","impact":"By causing a Windows system to connect to a malicious SMB share, a remote attacker may be able to cause a denial of service by crashing Windows.","resolution":"Apply an update This issue is addressed in Microsoft Security Bulletin MS17-012. Please also consider the following best practices, which also function as workarounds:","workarounds":"Block outbound SMB Consider blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.","sysaffected":"","thanks":"This vulnerability was publicly reported by PythonResponder.","author":"This document was written by Will Dormann.","public":["https://technet.microsoft.com/library/security/ms17-012","https://github.com/lgandx/PoC/tree/master/SMBv3%20Tree%20Connect","https://msdn.microsoft.com/en-us/library/cc246499.aspx","https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices"],"cveids":["CVE-2017-0016"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2017-02-02T15:13:09Z","publicdate":"2017-02-01T00:00:00Z","datefirstpublished":"2017-02-02T16:18:20Z","dateupdated":"2017-03-17T12:40:02Z","revision":28,"vrda_d1_directreport":"1","vrda_d1_population":"4","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"N","cvss_integrityimpact":"N","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"U","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"H","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"7.8","cvss_basevector":"AV:N/AC:L/Au:N/C:N/I:N/A:C","cvss_temporalscore":"7","cvss_environmentalscore":"7.007751072","cvss_environmentalvector":"CDP:ND/TD:H/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}