Tenable Discovers and Responds to CVE 2015-2474 (Updated)
At Tenable, we love bug reports; they give us opportunities to make our software even better. Recently, a customer was having some issues with a credentialed patch audit of his network (https://discussions.tenable.com/message/31190). In the process of solving this issue, our engineers discovered a problem with how SMB v1 server logs error messages. Of course, we dutifully reported the issue to Microsoft, and today they issued Security Bulletin MS15-083 for CVE-2015-2474.
The issue in question impacts Windows Vista SP2 and Windows Server 2008 SP2 on both 32-bit and x64 based systems as well as the Server Core installations of Server 2008. In all cases, the severity of the vulnerability is listed as Important, meaning you should patch as soon as you can. If for some reason you can’t install the supplied Microsoft patch right away, you could disable SMBv1 or the Extended Protection for Authentication in SMB; but it’s much easier to just install the patch.
An SPN or Service Principal Name is the name by which a client uniquely identifies an instance of a service. When authenticating to the SMB server, the client can provide the SPN of the server. The SMB server can validate the client-provided SPN depending on the server configuration. To exploit this issue, an attacker must first supply a valid credential as part of the SMB v1 authentication and create a specially crafted extra long SPN in an SMB v1 authentication packet. When the system attempts to use this extra long SPN, it will fail and attempt to write the SPN to a log. The amount of memory reserved for SPNs isn’t big enough, which can allow an attacker to overwrite portions of memory and execute code.
Install the supplied Microsoft patch right away
As far as we know right now, this vulnerability is not being exploited in the wild. Bad guys act quickly these days, so install that patch as soon as you can.
Tenable engineers have released plugin 85321 to detect this vulnerability and it is now available via the feed.
We will update this blog as events warrant.
Related Articles
Do You Think You Have No AI Exposures? Think Again
August 6, 2024As AI usage becomes more prevalent in organizations globally, security teams must get full visibility into these applications. Building a comprehensive inventory of AI applications in your environment is a first step. Read on to learn what we found about AI application-usage in the real world when we analyzed anonymized telemetry data from scans using Tenable’s products.
Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach
August 6, 2024As AI transforms industries, security remains critical. Discover the importance of a security-first approach in AI development, the risks of open-source tools, and how Tenable's solutions can help protect your systems.
An Analyst’s Guide to Cloud-Native Vulnerability Management: Where to Start and How to Scale
September 19, 2024Cloud-native workloads introduce a unique set of challenges that complicate traditional approaches to vulnerability management. Learn how to address these challenges and scale cloud-native VM in your org.
Mastering Containerization: Key Strategies and Best Practices
September 17, 2024As organizations modernize their infrastructure, containers offer unparalleled flexibility and scalability but they also introduce unique security challenges. In this blog we explain container security challenges, identify top threats and share how the newly released Tenable Enclave Security can keep your containers secure.
CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package
September 16, 2024Tenable Research discovered a remote code execution (RCE) vulnerability in Google Cloud Platform (GCP) that is now fixed and that we dubbed CloudImposer. The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool. Tenable Research also found risky guidance in GCP documentation that customers should be aware of.
- Plugins
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning