topic Can anyone explain this vulnerability in more detail "Service Enum Through SMB ServiceEnum2" in General Topics

Can anyone explain this vulnerability in more detail "Service Enum Through SMB ServiceEnum2"

u11712 — Fri, 01 Feb 2013 17:19:03 GMT

I am trying to find more detail on what this vulnerability is and what could possibly be triggering it in a Windows Server environment. I am thinking that it might be a mis-configured service or application native to Windows Server but looking for a system expert to confirm or deny that theory.

When I look it up in the Threat Vault all it says is the flowing (which is far from helpful):

Service Enum Through SMB ServiceEnum2

Overview

Attack Name	Service Enum Through SMB ServiceEnum2
Description	Remote Enum Service Through SMB By ServiceEnum2 function number
Threat ID	30867
References	https://threatvault.paloaltonetworks.com/Home/ThreatDetail/30867
Severity	informational
Category	info-leak

Re: Can anyone explain this vulnerability in more detail "Service Enum Through SMB ServiceEnum2"

mikand — Fri, 01 Feb 2013 19:01:33 GMT

Someone or something tried to list which users are logged in to your server by using the SMB ServiceEnum2 function.

This is classified as informational so its in most cases nothing bad.

But it can be worth investigating which ipaddresses performs these lookups and perhaps whitelist those and then trigger an alert if someone else other than these sourceip's performs such enumeration (for example an intruder).

For more information (similar stuff):

http://nmap.org/nsedoc/scripts/smb-enum-users.html

- SMB enum services over \srvsvc infos SecuObs - L'observatoire de la sécurite internet - Site d'informations professionnelles francophone sur la sécurité informatique