[German]A 20-year-old vulnerability in Microsoft Windows SMB protocol has been discovered. Microsoft says, that it won’t patch this vulnerability. Here is, what to know.
Researchers Sean Dillon (Twitter: @zerosum0x0) and Jenna Magius (Twitter: @jennamagius) found the original vulnerability in June (2017). There is a proof of concept on Github, that allows an attacker to open a connection to a remote computer via the SMB protocol and instruct that computer to allocate RAM to handle the connection. The attacker doesn’t have to be authenticated.
If an attacker opens tens of thousands of connections on a machine, the RAM will be exhausting. This lead potentially to freeze or crash the targeted computer. The vulnerability affects every version (SMBv1, SMBv2, SMBv3) of the SMB protocol and every Windows version dating back to Windows 2000 up to Windows 10.
Windows systems exposing port 445 are vulnerable (i.e. disabling SMB won’t stop attacks). On Linux, admins can set “max smbd processes = 1000” in the Samba smb.conf config file to prevent attackers from opening a large number of SMB connections to the Samba server.
SMBLoris takes its name from the Slowloris attack on web servers. In 2009, security researchers discovered that an attacker could open a large number of connections to the same web server, exhausting bandwidth, sockets, or memory, and carry out one-man DDoS attacks. SMBLoris is the same thing but done via SMB instead of HTTP.
Microsoft has declined to patch this vulnerability in the Server Message Block (SMB) file sharing protocol of Windows. “The case offers no serious security implications and we do not plan to address it with a security update,” a Microsoft spokesperson told Threatpost. “For enterprise customers who may be concerned, we recommend they consider blocking access from the internet to SMBv1.” Further details may be found within the Kaspersky Threatpost article, within this rapid7.com community article or within this Bleeping Computer article. The attack has been demonstrated at Def Con (see below).
— Frieder Morneweg (@MornewegF) 5. August 2017