Earlier this week a PoC exploit for a vulnerability in the BROWSER protocol was released on Full Disclosure. There has been some discussion regarding whether this issue can result in Remote Code Execution (RCE) or is only a Denial of Service (DoS). This blog post provides details on the exploitability based on our internal analysis.
Which systems are vulnerable
All versions of Windows are vulnerable, although the issue is more likely to affect server systems running as the Primary Domain Controller (PDC). In environments following best practices, the BROWSER protocol should be blocked at the edge firewalls thus limiting attacks to the local network.
The BROWSER protocol operates on top of SMB and is used to discover machines and resources on the network. It is implemented as a kernel driver
(mrxsmb.sys or bowser.sys, depending on the version of Windows). This vulnerability affects Windows machines that have been configured to (A) use the BROWSER network protocol and (B) that then become Master Browser on the local network. The BROWSER protocol uses an election process to determine which system will act as the “master” in terms of data collection and response handling.