MS09-050: Microsoft Windows SMB2 _Smb2ValidateProviderCallback

Plugin tenable:40887 maps primarily to CVE-2009-3103, the SMBv2 negotiation flaw fixed by MS09-050 / KB975517. A remote attacker can send a specially crafted SMB packet to TCP/445 and crash the host or potentially execute code in kernel context. Microsoft and NVD tie the affected set to Windows Vista (Gold/SP1/SP2) and Windows Server 2008 (Gold/SP2), with historical mention of Windows 7 RC; this is not a broad modern-Windows issue.

Tenable's CRITICAL label is technically defensible in a vacuum because the bug is unauthenticated, network reachable, and has public exploit tooling. In real enterprise terms, though, severity comes down because the vulnerable population is now narrow, legacy, and usually internal-only; Microsoft explicitly noted default firewall/perimeter practices reduce outside reachability. For a 10,000-host program this is still a HIGH-priority legacy eradication item, not a drop-everything enterprise-wide emergency unless those systems are exposed or sitting on flat east-west networks.

Why this verdict

• Start at the vendor baseline: unauthenticated SMB RCE against a kernel-facing service deserves a high starting point, and Tenable's 9.8 is understandable on pure exploit mechanics.
• First downward adjustment — attacker position: the attacker must reach SMB on TCP/445. In real enterprises that usually means internal network access, VPN access, or a bad firewall exception, which implies either post-initial-access or a narrowly exposed edge case.
• Second downward adjustment — exposed population: vulnerable builds are basically Vista and Server 2008-era hosts. That is a tiny fraction of modern fleets, so the blast radius is constrained by asset rarity even before you talk about patching.
• Third downward adjustment — modern controls: NGFW/ACLs, SMB blocking at the perimeter, IPS signatures, and segmentation should stop or sharply limit step 1 and step 2 in a well-run estate.
• Why it does not fall further: once those frictions are removed, this is still pre-auth remote code execution with established weaponization, and legacy hosts often sit in brittle enclaves with weak containment.

Why not higher?

This is not a current broad-spectrum Windows exposure problem. It needs a very specific, obsolete target population, and Microsoft itself highlighted that standard firewall posture reduces reachability from outside the perimeter. The absence of a current KEV listing also matters: there is no present-day government-backed signal that this is a routine active-exploitation priority across enterprises.

Why not lower?

Dropping this to MEDIUM would underweight the core fact pattern: no authentication, no user interaction, network service, potential kernel-level RCE. If your scanner still finds this, you likely have a legacy host that can be taken down remotely and maybe fully compromised by anyone who can talk SMB to it. That is too dangerous for backlog-only treatment.

1. Block inbound SMB — Enforce TCP/445 and TCP/139 deny rules at every internet boundary and inter-segment choke point touching legacy enclaves. This directly removes the pre-auth attack path and, for a HIGH verdict, should be verified within 30 days.
2. Isolate legacy Windows nodes — Move remaining Vista/Server 2008 systems into tightly scoped VLANs or firewall groups with only approved application peers. Treat them as containment zones and complete that segmentation within 30 days.
3. Disable SMBv2 where business-safe — Microsoft's pre-patch workaround for this issue was to disable SMBv2. Use it as a temporary risk reduction on affected legacy hosts that cannot be patched immediately, and push the change within 30 days after validating application impact.
4. Push IDS/IPS coverage — Ensure network detection for malformed SMB negotiation traffic is enabled on sensors covering legacy segments. This is not a substitute for patching, but it buys visibility while containment is rolled out within 30 days.
5. Hunt for stragglers — Use CMDB plus unauthenticated SMB scanning to identify any remaining Vista/Server 2008 nodes and confirm whether KB975517 is present. For a HIGH verdict, finish the inventory reconciliation within 30 days so remediation can be tracked cleanly.

Run this on the target Windows host from an elevated PowerShell session: powershell -ExecutionPolicy Bypass -File .\check-ms09-050.ps1. It needs local admin rights to read OS/version and installed hotfix data; use it on suspected Vista/Server 2008 systems, not from an auditor workstation.

# check-ms09-050.ps1

# Detect likely exposure to MS09-050 / KB975517 (CVE-2009-3103 primary)

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'

function Out-Result {
    param(
        [string]$Status,
        [string]$Reason,
        [int]$Code
    )
    Write-Output ("{0}: {1}" -f $Status, $Reason)
    exit $Code
}

# Collect OS info

$os = Get-CimInstance Win32_OperatingSystem
if (-not $os) {
    Out-Result -Status 'UNKNOWN' -Reason 'Unable to query Win32_OperatingSystem.' -Code 2
}

$caption = [string]$os.Caption
$version = [string]$os.Version
$sp = [string]$os.ServicePackMajorVersion

# Affected families for this plugin/advisory are primarily Vista and Server 2008.

$isVista = $caption -match 'Windows Vista'
$is2008 = $caption -match 'Windows Server 2008(?! R2)'

if (-not ($isVista -or $is2008)) {
    Out-Result -Status 'UNKNOWN' -Reason ("Host OS '{0}' is not a primary MS09-050 affected family (Vista / Server 2008)." -f $caption) -Code 2
}

# Check whether the security update is installed.

# Microsoft bulletin MS09-050 maps to security update 975517.

$kbId = 'KB975517'
$hotfix = Get-HotFix -Id $kbId
if ($hotfix) {
    Out-Result -Status 'PATCHED' -Reason ("{0} is installed on {1} {2} SP{3}." -f $kbId, $caption, $version, $sp) -Code 0
}

# Fallback: query WMI hotfix list in case Get-HotFix misses older records

$wmiHotfix = Get-CimInstance Win32_QuickFixEngineering | Where-Object { $_.HotFixID -eq $kbId }
if ($wmiHotfix) {
    Out-Result -Status 'PATCHED' -Reason ("{0} found via Win32_QuickFixEngineering on {1} {2} SP{3}." -f $kbId, $caption, $version, $sp) -Code 0
}

# Optional SMBv2 check for context only

$smb2Disabled = $false
$regPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'
$reg = Get-ItemProperty -Path $regPath
if ($reg) {
    if ($null -ne $reg.Smb2) {
        if ([int]$reg.Smb2 -eq 0) { $smb2Disabled = $true }
    }
}

if ($smb2Disabled) {
    Out-Result -Status 'UNKNOWN' -Reason ("{0} not found, but SMBv2 appears disabled via registry workaround. Host may be mitigated but patch state is not confirmed." -f $kbId) -Code 2
}

Out-Result -Status 'VULNERABLE' -Reason ("{0} not found on likely affected OS '{1}' version {2} SP{3}." -f $kbId, $caption, $version, $sp) -Code 1

Sources

1. Tenable Nessus Plugin 40887
2. Microsoft Security Bulletin MS09-050
3. Microsoft Security Advisory 975497
4. NVD CVE-2009-3103
5. Microsoft MSRC exploit timeline for MS09-050
6. Rapid7 Metasploit module for MS09-050
7. CISA Known Exploited Vulnerabilities Catalog
8. Vulners CVE-2009-3103 record with EPSS