Tenable Discovers and Responds to CVE 2015-2474 (Updated)
At Tenable, we love bug reports; they give us opportunities to make our software even better. Recently, a customer was having some issues with a credentialed patch audit of his network (https://discussions.tenable.com/message/31190). In the process of solving this issue, our engineers discovered a problem with how SMB v1 server logs error messages. Of course, we dutifully reported the issue to Microsoft, and today they issued Security Bulletin MS15-083 for CVE-2015-2474.
The issue in question impacts Windows Vista SP2 and Windows Server 2008 SP2 on both 32-bit and x64 based systems as well as the Server Core installations of Server 2008. In all cases, the severity of the vulnerability is listed as Important, meaning you should patch as soon as you can. If for some reason you can’t install the supplied Microsoft patch right away, you could disable SMBv1 or the Extended Protection for Authentication in SMB; but it’s much easier to just install the patch.
An SPN or Service Principal Name is the name by which a client uniquely identifies an instance of a service. When authenticating to the SMB server, the client can provide the SPN of the server. The SMB server can validate the client-provided SPN depending on the server configuration. To exploit this issue, an attacker must first supply a valid credential as part of the SMB v1 authentication and create a specially crafted extra long SPN in an SMB v1 authentication packet. When the system attempts to use this extra long SPN, it will fail and attempt to write the SPN to a log. The amount of memory reserved for SPNs isn’t big enough, which can allow an attacker to overwrite portions of memory and execute code.
Install the supplied Microsoft patch right away
As far as we know right now, this vulnerability is not being exploited in the wild. Bad guys act quickly these days, so install that patch as soon as you can.
Tenable engineers have released plugin 85321 to detect this vulnerability and it is now available via the feed.
We will update this blog as events warrant.