Microsoft has decided to not urgently release a patch for the vulnerability in its Server Message Block (SMB) protocol. In June 2017, two researchers from RiskSense Security namely Sean Dillon and Jenna Magius identified a flaw in Microsoft’s file sharing protocol.
The flaw, dubbed as SMBLoris, was identified while researching upon the NSA’s EternalBlue SMB exploit (the same exploit used by hackers to spread WananCry ransomware). The disturbing element of their research is that the vulnerability is around 20 years old and was present in older versions of MS Windows too, such as Windows 2000.
The flaw was evident in all the three SMB protocol versions SMBv1, SMBv2, and SMBv3 and Samba Linux Server. This server provides Linux systems the necessary SMB interoperability. Exploiting this flaw, a hacker doesn’t need to authenticate himself for opening a connection to any remote computer and instruct it to allocate RAM. This happens because the flaw doesn’t let remote code execution take place. Naturally, the flaw is serious and dangerous because the attacker can open millions of connections to the same device. This would exhaust the RAM and result in crashing the computer.
[q]”The vulnerability is in all modern versions of Windows, at least from Windows 2000 through Windows 10. Systems are still vulnerable even if all versions of SMB (1, 2, and 3) are disabled.”[/q]
SMBLoris has derived its name from the infamous Slowloris attack, which was discovered in 2009 by security researchers and it was claimed that Slowloris could attack web servers and create countless connections on a single server.
As a result, bandwidth, memory, and sockets got exhausted, and it became a lot easy to carry out one-man DDoS attacks. There is no such difference between SMBLoris and Slowloris apart from the fact that the former doesn’t use HTTP but SMB.
It is useless to disable SMB protocol, and the only way to prevent SMBLoris attack is by protecting the SMB service through a firewall to block incoming SMB connections or at least limit them to a lower number. On Linux systems, it can be prevented if admins set “max smbd processes= 1000.” This would be done in the Samba smb.conf config file. Through this method, attackers won’t be able to create a large number of SMB connections to the Samba server.
Experts were expecting a patch for this vulnerability, but surprisingly, Microsoft has declined to patch the SMB protocol on an urgent basis. Microsoft was notified by the researchers as soon as the vulnerability was identified but the tech giant claims that this issue does not fall into security bug category. The claim was made after two different internal security teams of Microsoft analyzed the issue separately.
However, Microsoft has agreed to fix the bug in the bugfix update in the near future. The company maintains that an attacker having “rudimentary network programming knowledge” can successfully exploit SMBLoris and make critical systems crash through exposing port 445 to the web.
The researchers presented their findings at the Defcon security conference in Las Vegas. A proof-of-concept was provided by security researcher Hector Martin, which can be viewed in the YouTube video attached below.
Watch SMBLoris attack demonstration below