Microsoft won’t patch SMBloris vulnerability

[German]A 20-year-old vulnerability in Microsoft Windows SMB protocol has been discovered. Microsoft says, that it won't patch this vulnerability. Here is, what to know.


Advertising

Researchers Sean Dillon (Twitter: @zerosum0x0) and Jenna Magius (Twitter: @jennamagius) found the original vulnerability in June (2017). There is a proof of concept on Github, that allows an attacker to open a connection to a remote computer via the SMB protocol and instruct that computer to allocate RAM to handle the connection. The attacker doesn't have to be authenticated.

If an attacker opens tens of thousands of connections on a machine, the RAM will be exhausting. This lead potentially to freeze or crash the targeted computer. The vulnerability affects every version (SMBv1, SMBv2, SMBv3) of the SMB protocol and every Windows version dating back to Windows 2000 up to Windows 10.

Windows systems exposing port 445 are vulnerable (i.e. disabling SMB won't stop attacks). On Linux, admins can set "max smbd processes = 1000" in the Samba smb.conf config file to prevent attackers from opening a large number of SMB connections to the Samba server.

SMBLoris takes its name from the Slowloris attack on web servers. In 2009, security researchers discovered that an attacker could open a large number of connections to the same web server, exhausting bandwidth, sockets, or memory, and carry out one-man DDoS attacks. SMBLoris is the same thing but done via SMB instead of HTTP.

Microsoft has declined to patch this vulnerability in the Server Message Block (SMB) file sharing protocol of Windows. "The case offers no serious security implications and we do not plan to address it with a security update," a Microsoft spokesperson told Threatpost. "For enterprise customers who may be concerned, we recommend they consider blocking access from the internet to SMBv1." Further details may be found within the Kaspersky Threatpost article, within this rapid7.com community article or within this Bleeping Computer article. The attack has been demonstrated at Def Con (see below).


Advertising


Advertising

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).