CVE-2010-0231
published 2010-02-10CVE-2010-0231: The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
41.26%
98.5th percentile
The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not use a sufficient source of entropy, which allows remote attackers to obtain access to files and other SMB resources via a large number of authentication requests, related to server-generated challenges, certain "duplicate values," and spoofing of an authentication token, aka "SMB NTLM Authentication Lack of Entropy Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
ff534d4272000000001801c00000000000000000000000000000866100005480003100024c414e4d414e312e3000024c4d312e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200
- →Detect repeated SMB Negotiate Protocol Request packets to port 445 with the Flags2 field set to 0xc001 (disabling security signatures, extended attributes, and extended security negotiation) — a pattern indicative of duplicate-challenge enumeration for this vulnerability. ↗
- →Monitor for a high volume of unauthenticated SMB authentication requests from a single source — the exploit requires sending a large number of requests to obtain duplicate 8-byte NTLM challenges/nonces from the server. ↗
- →Alert on SMB Negotiate Protocol Responses returning duplicate 8-byte challenge/nonce values across multiple sessions from the same server — duplicate nonces are the core indicator of a vulnerable or actively exploited host. ↗
- ·The vulnerability is triggered only when the SMB Negotiate Protocol Request is sent with Flags2=0xc001, which disables extended security negotiation. Default modern Windows SMB clients do NOT send packets with these flag values, limiting passive sniffing-only exploitation scenarios. ↗
- ·All Windows versions implementing NTLMv1 and NTLMv2 are suspected to be affected, not just those explicitly listed — including Windows NT 3.1 (released ~1993), meaning the vulnerability may have been present for ~17 years across all Windows systems. ↗
- ·Beyond duplicate-challenge replay, a second attack vector (challenge/nonce prediction) is also feasible because the SMB protocol leaks information that can be used to reconstruct the internal PRNG state — patching/entropy hardening addresses both vectors. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8g56-72qr-4pmv: The SMB service in EMC VNXe (VNXe3200 Operating Environment prior to 3
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2016-0917 [CRITICAL] GHSA-8g56-72qr-4pmv: The SMB service in EMC VNXe (VNXe3200 Operating Environment prior to 3
The SMB service in EMC VNXe (VNXe3200 Operating Environment prior to 3.1.5.8711957 and VNXe3100/3150/3300 Operating Environment prior to 2.4.4.22638), VNX1 File OE before 7.1.80.3, VNX2 File OE before 8.1.9.155, and Celerra (all supported versions) does not prevent duplicate NTLM challenge-response nonces, which makes it easier for remote attackers to execute arbitrary code, or read or write to files, via a series of authentication requests, a related issue to CVE-2010-0231.
GHSA
GHSA-jvfw-7f9c-qp8r: The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1,
ghsa_unreviewed·2022-05-02
CVE-2010-0231 [HIGH] GHSA-jvfw-7f9c-qp8r: The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1,
The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not use a sufficient source of entropy, which allows remote attackers to obtain access to files and other SMB resources via a large number of authentication requests, related to server-generated challenges, certain "duplicate values," and spoofing of an authentication token, aka "SMB NTLM Authentication Lack of Entropy Vulnerability."
No detection rules found.
No writeups or analysis indexed.
http://www.us-cert.gov/cas/techalerts/TA10-040A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7751http://www.us-cert.gov/cas/techalerts/TA10-040A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7751
2010-02-10
Published