Tom Decaluwé

A lot of posts have been written on the SMBv2 vulnerability and how this new bug in MS flagship products Windows Vista and Windows 2008 causes BSOD.

For those of you that have not been following security hell this month it all started on 7 September with this post: http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html

Where a 0day exploit was launched with a malformed SMBv2 packet sending an unexpected & character in the smbv2 NEGOTIATE PROTOCOL REQUEST packet

you can find the full details on the exploit packet down at  Laura Chappels project site http://www.chappellseminars.com/projects.html

A lot of negative news has been brought out to the internet about this exploit and it is certainly a big issue as the MS official fix at this time is to disable SMB2 a feature we have all come to love and a major driver to why we upgraded from Win2003 to 2008

http://www.microsoft.com/technet/security/advisory/975497.mspx

http://support.microsoft.com/kb/975497

However even in these darkest of time there is always a light at the end of the tunnel and I wanted to seize the opportunity to really illustrate the power of Microsoft's new Network Inspection System  being introduced in TMG the follow up product for ISA is really the answer the the 0-day treat that’s in our worst nightmares.

Once you’ve seen the power of NIS you certainly think twice and add an ISA as central firewall to your environment and start thinking of real network segmentation.

What is NIS:

NIS is a new technology based on GAPA that was developed by Microsoft research. This new technology allows TMG to “sniff / inspect” packets at the network layer with application intelligence and detect bad stuff passing over the network based on signatures created by Microsoft support.

The main benefit is that these signatures work just like anti virus data updates. This means you can enable/disable signatures on the fly without having to install “risky” updates on your production servers. It also allows Microsoft to bring protection to you networks much faster than the standard patch develop / test / deploy cycle.

When the SMBv2 vulnerability was launched it literally took  MS research hours to detect / create and deploy the TMG signature, while we are still waiting for the patch Tuesday fix.

Even tough this signature does not fix the issue, it does provide a level op protection we did not have be for NIS was invented.

The main difference between MS signatures and 3de party signatures is that MS developers have direct access to the code being exploited. They can base their signatures by analyzing the actual code being exploited taking into account any unknown vulnerabilities not yet know in the wild. While 3de parties need to relay on trial/error, reverse engineering, info disclosed by MS and  the actual exploit code. But there is no way for them to really look at the root cause of the issue.

What happens:

1) Be for the release of the signature TMG and any other firewall was unaware of the mal intent of the SMBv2 packets and packets passed the network and win2k8 systems BSOD.

2) Microsoft releases a signature file for the vulnerability and TMG downloads it with hours after the 0day was released. According to your setup the action is to detect only or detect and block. MS default of the SMBv2 vulnerability was of course to detect and block

3) After the NIS signature is installed TMG is smarter and can now actively detect the SMBv2 mall formed packet and saving your server from certain death

As you can see NIS is a very powerful technology that will certainly be worth you investment of time and money to keep you network safer than ever be for.

If you want the full story on NIS, watch my 30 minutes deep dive webcast at http://www.microsoft.com/belux/technet/nl/chopsticks/default.aspx?id=1416

you’ll learn all you need to know and see two vulnerabilities tested against the system including the SMBv2 0day attack.