Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Discovers and Responds to CVE 2015-2474 (Updated)

At Tenable, we love bug reports; they give us opportunities to make our software even better. Recently, a customer was having some issues with a credentialed patch audit of his network (https://discussions.tenable.com/message/31190). In the process of solving this issue, our engineers discovered a problem with how SMB v1 server logs error messages. Of course, we dutifully reported the issue to Microsoft, and today they issued Security Bulletin MS15-083 for CVE-2015-2474.

The issue in question impacts Windows Vista SP2 and Windows Server 2008 SP2 on both 32-bit and x64 based systems as well as the Server Core installations of Server 2008. In all cases, the severity of the vulnerability is listed as Important, meaning you should patch as soon as you can. If for some reason you can’t install the supplied Microsoft patch right away, you could disable SMBv1 or the Extended Protection for Authentication in SMB; but it’s much easier to just install the patch.

An SPN or Service Principal Name is the name by which a client uniquely identifies an instance of a service. When authenticating to the SMB server, the client can provide the SPN of the server. The SMB server can validate the client-provided SPN depending on the server configuration. To exploit this issue, an attacker must first supply a valid credential as part of the SMB v1 authentication and create a specially crafted extra long SPN in an SMB v1 authentication packet. When the system attempts to use this extra long SPN, it will fail and attempt to write the SPN to a log. The amount of memory reserved for SPNs isn’t big enough, which can allow an attacker to overwrite portions of memory and execute code.

Install the supplied Microsoft patch right away

As far as we know right now, this vulnerability is not being exploited in the wild. Bad guys act quickly these days, so install that patch as soon as you can.

Tenable engineers have released plugin 85321 to detect this vulnerability and it is now available via the feed.

We will update this blog as events warrant.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io Vulnerability Management

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save