Technical details about the srv2.sys blue screen error
This Microsoft vulnerability is not only a blue screen flaw (the flaw is an out-of-bounds indexing), it also allows remote code execution.
Microsoft Windows could allow a remote attacker to execute arbitrary code on the system. An array indexing error in the
Smb2ValidateProviderCallback() function within the
SRV2.SYS kernel driver when processing Server Message Block (SMB) packets causes this issue. A remote attacker could exploit this vulnerability by sending a specially crafted
Server Message Block (SMB) Negotiate Protocol Request. The remote attacker can reference out-of-bounds memory to execute arbitrary code on the system or cause the system to crash.
This vulnerability affects SMB 2, which is resident in Windows Server 2008. Although SMB 2 is not enabled by default, many systems are expected to have it enabled to allow file sharing. So, it is expected that the use of SMB 2 on these platforms would be fairly widespread. When this vulnerability was announced, originally as a denial-of-service (DoS), the discoverer also published proof-of-concept code. The code easily and reliably produced a DoS, or blue screen error.
There are a few mitigating factors for this vulnerability. SMB is not typically available through the firewall, so attacks might be limited to unprotected networks or inside the firewall.
You are not impacted if:
- You do not allow widespread use of file sharing through SMB 2.
Or
- You are not using the vulnerable operating systems.
If you do run vulnerable operating systems that require file sharing, deploy protection immediately and apply updates when available.