Microsoft SMB2 Vulnerability

Microsoft has announced an out-of-band release for a vulnerability (CVE-2009-3103) in the SMB2 protocol which exposes Windows Server 2008 and Windows Vista users to possible remote code execution attacks. It does not appear that Windows 2000 and Windows XP are affected because they do not have the vulnerable SMB2 driver. The vulnerability is labeled as critical and there is publically available exploit code. The vulnerability is an index error in the SMB2 protocol implementation in srv2.sys, which allows remote attackers to either cause a denial of service attack or execute remote code on a vulnerable system through an ampersand (&) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet. This triggers an attempted dereference of an out-of-bounds memory location.

There is no Microsoft patch available for the vulnerability, and it is recommended that Palo Alto Networks customers with vulnerable Microsoft devices upgrade to content version 142. For more information about the Microsoft advisory on the vulnerability, check out the link below.