CVE-2016-7237
published 2016-11-10CVE-2016-7237: Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows…
PriorityP355medium6.5CVSS 3.0
AVNACLPRLUINSUCNINAH
EXPLOIT
EPSS
64.82%
99.1th percentile
Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows remote authenticated users to cause a denial of service (system hang) via a crafted request, aka "Local Security Authority Subsystem Service Denial of Service Vulnerability."
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x84 (ASN1 DER length field set to unsigned int)
- →Monitor for NTLM Authenticate (Message 3) packets over SMBv1/SMBv2 where the ASN.1 DER length field is set to 0x84 (unsigned int), indicating an attempt to allocate an abnormally large memory chunk in LSASS. ↗
- →Alert on NTLM Authenticate messages over SMB where string fields (User, Domain, Session Key, MIC, etc.) contain unusually long strings (80–140 characters), which is the secondary trigger for the LSASS crash. ↗
- →Detect unexpected LSASS.EXE crashes or system reboots following inbound SMB NTLM authentication attempts, which may indicate successful exploitation of the null-pointer dereference in NegpBuildMechListFromCreds. ↗
- →Look for the crash signature in LSASS: null pointer passed to RtlEnterCriticalSection via lsasrv!NegpBuildMechListFromCreds, resulting in access violation at address 0x00000014. ↗
- ·Exploitation requires the attacker to be a remote but authenticated user — unauthenticated remote exploitation is not possible for this CVE. ↗
- ·The vulnerability is triggerable via both SMBv1 and SMBv2 protocols; blocking or monitoring both is necessary for effective detection coverage. ↗
- ·The PoC is described as fully automated and includes non-vulnerable detection, meaning adversaries can quickly enumerate targets before launching the DoS. ↗
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.06.8MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:C
vendor_msrc6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-96wx-g729-q36v: Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-7237 [MEDIUM] CWE-284 GHSA-96wx-g729-q36v: Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8
Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows remote authenticated users to cause a denial of service (system hang) via a crafted request, aka "Local Security Authority Subsystem Service Denial of Service Vulnerability."
Microsoft
Local Security Authority Subsystem Service Denial of Service Vulnerability
vendor_msrc·2016-11-08·CVSS 6.5
CVE-2016-7237 [MEDIUM] Local Security Authority Subsystem Service Denial of Service Vulnerability
Local Security Authority Subsystem Service Denial of Service Vulnerability
Description: A denial of service vulnerability exists in the Windows Local Security Authority Subsystem Service (LSASS). A remote, but authenticated, attacker who successfully exploited this vulnerability could cause the target system to become nonresponsive.
To exploit the vulnerability, a remote attacker would first have to log on to the system and send a specially crafted request to the target system.
The security update addresses the vulnerability by changing the way that LSASS handles specially crafted requests.
Windows Authentication Methods: Windows Authentication Methods
Impact: Denial of Service
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Unlikely;Older Softwa
No detection rules found.
Talos
Microsoft Patch Tuesday - November 2016
blogs_talos·2016-11-08
Microsoft Patch Tuesday - November 2016
## Microsoft Patch Tuesday - November 2016
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. For a detailed explanaiton of each of the categories listed below, please go to https://technet.microsoft.com/en-us/security/gg309177.aspx .
This month's release is packed full of goodies, but you don't want to wait to review them over Thanksgiving dinner as there are 14 unique bulletins addressing multiple vulnerabilities.
Critical bulletins address vulnerabilities in (alphabetically):
Adobe Flash Player
Edge
Graphics Component
Internet Explorer
Video Control
Windows The remaining bulletins are rated Important or Moderate and address vulnerabilities in the following products (listed alphabetically):
B
Talos
Microsoft Patch Tuesday - November 2016
blogs_talos·2016-11-08
Microsoft Patch Tuesday - November 2016
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. For a detailed explanaiton of each of the categories listed below, please go to https://technet.microsoft.com/en-us/security/gg309177.aspx.
This month's release is packed full of goodies, but you don't want to wait to review them over Thanksgiving dinner as there are 14 unique bulletins addressing multiple vulnerabilities.
Critical bulletins address vulnerabilities in (alphabetically):
- Adobe Flash Player
- Edge
- Graphics Component
- Internet Explorer
- Video Control
- Windows
The remaining bulletins are rated Important or Moderate and address vulnerabilities in the following products (listed alphabetically):
- Boot Manager*
- Common Log File System
http://www.securityfocus.com/bid/94040http://www.securitytracker.com/id/1037249https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-137https://www.exploit-db.com/exploits/40744/http://www.securityfocus.com/bid/94040http://www.securitytracker.com/id/1037249https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-137https://www.exploit-db.com/exploits/40744/
2016-11-10
Published