In the middle of January this year US CERT has issued an alert stating that Shadow Brokers are trading 0day vulnerability in Server Message Block (SMB). The hackers offered to sell 0day exploit for 250 bitcoins.

Along with it Shadow Brokers announced the sale of a large number of Windows exploits and hacking tools stolen from the Equation group.

The vulnerability in question raised our attention, as of yesterday a PoC-code to exploit vulnerability in SMB implementation in Microsoft Windows was made public on GitHub. The available exploit just triggers memory corruption and renders the vulnerable system unresponsive.

The brief analysis of the vulnerability suggests that the exploit code will work on the following operating systems: Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016.

We have issued our own security advisory to address this vulnerability SB2017020301.

The vulnerability resides in SMB client when processing malformed responses from malicious SMB server. User interaction is not necessary to exploit this vulnerability, because there multiple ways to make the system to connect to malicious SMB share without user’s knowledge.

Currently we are unaware of any live-world attacks leveraging the publicly disclosed issue.

As a workaround we recommend to block outgoing SMB requests to the following ports:

• 139/tcp
• 445/tcp
• 137/udp
• 138/udp

We will update our advisory when we have more information. Stay in touch.