cbcvebase.
CVE-2010-0231
published 2010-02-10

CVE-2010-0231: The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
41.26%
98.5th percentile
The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not use a sufficient source of entropy, which allows remote attackers to obtain access to files and other SMB resources via a large number of authentication requests, related to server-generated challenges, certain "duplicate values," and spoofing of an authentication token, aka "SMB NTLM Authentication Lack of Entropy Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

port445
bytes
ff534d4272000000001801c00000000000000000000000000000866100005480003100024c414e4d414e312e3000024c4d312e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200
  • Detect repeated SMB Negotiate Protocol Request packets to port 445 with the Flags2 field set to 0xc001 (disabling security signatures, extended attributes, and extended security negotiation) — a pattern indicative of duplicate-challenge enumeration for this vulnerability.
  • Monitor for a high volume of unauthenticated SMB authentication requests from a single source — the exploit requires sending a large number of requests to obtain duplicate 8-byte NTLM challenges/nonces from the server.
  • Alert on SMB Negotiate Protocol Responses returning duplicate 8-byte challenge/nonce values across multiple sessions from the same server — duplicate nonces are the core indicator of a vulnerable or actively exploited host.
  • ·The vulnerability is triggered only when the SMB Negotiate Protocol Request is sent with Flags2=0xc001, which disables extended security negotiation. Default modern Windows SMB clients do NOT send packets with these flag values, limiting passive sniffing-only exploitation scenarios.
  • ·All Windows versions implementing NTLMv1 and NTLMv2 are suspected to be affected, not just those explicitly listed — including Windows NT 3.1 (released ~1993), meaning the vulnerability may have been present for ~17 years across all Windows systems.
  • ·Beyond duplicate-challenge replay, a second attack vector (challenge/nonce prediction) is also feasible because the SMB protocol leaks information that can be used to reconstruct the internal PRNG state — patching/entropy hardening addresses both vectors.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.