cbcvebase.
CVE-2016-7237
published 2016-11-10

CVE-2016-7237: Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows…

PriorityP355medium6.5CVSS 3.0
AVNACLPRLUINSUCNINAH
EXPLOIT
EPSS
64.82%
99.1th percentile
Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows remote authenticated users to cause a denial of service (system hang) via a crafted request, aka "Local Security Authority Subsystem Service Denial of Service Vulnerability."

Affected

17 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/lgandx/PoC/tree/master/LSASS
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40744.zip
bytes
0x84 (ASN1 DER length field set to unsigned int)
  • Monitor for NTLM Authenticate (Message 3) packets over SMBv1/SMBv2 where the ASN.1 DER length field is set to 0x84 (unsigned int), indicating an attempt to allocate an abnormally large memory chunk in LSASS.
  • Alert on NTLM Authenticate messages over SMB where string fields (User, Domain, Session Key, MIC, etc.) contain unusually long strings (80–140 characters), which is the secondary trigger for the LSASS crash.
  • Detect unexpected LSASS.EXE crashes or system reboots following inbound SMB NTLM authentication attempts, which may indicate successful exploitation of the null-pointer dereference in NegpBuildMechListFromCreds.
  • Look for the crash signature in LSASS: null pointer passed to RtlEnterCriticalSection via lsasrv!NegpBuildMechListFromCreds, resulting in access violation at address 0x00000014.
  • ·Exploitation requires the attacker to be a remote but authenticated user — unauthenticated remote exploitation is not possible for this CVE.
  • ·The vulnerability is triggerable via both SMBv1 and SMBv2 protocols; blocking or monitoring both is necessary for effective detection coverage.
  • ·The PoC is described as fully automated and includes non-vulnerable detection, meaning adversaries can quickly enumerate targets before launching the DoS.

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.06.8MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:C
vendor_msrc6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.