Windows Remains Vulnerable To Serious 18-Year-Old SMB Security Flaw

← Back to Stories (view on slashdot.org)

Windows Remains Vulnerable To Serious 18-Year-Old SMB Security Flaw

Posted by samzenpus on Monday April 13, 2015 @08:40AM from the protect-ya-neck dept.

Mark Wilson writes A serious security hole leaves millions of Windows users open to attack, making it possible to extract encrypted credentials from a target machine. Researchers at Cylance say the problem affects "any Windows PC, tablet or server" (including Windows 10) and is a slight progression of the Redirect to SMB attack discovered by Aaron Spangler way back in 1997. Redirect to SMB is essentially a man-in-the-middle attack which involves taking control of a network connection. As the name suggests, victims are then redirected to a malicious SMB server which can extract usernames, domains and passwords. Cylance also reports that software from companies such as Adobe, Oracle and Symantec — including security and antivirus tools — are affected.

21 of 171 comments (clear)

Min score:

Reason:

Sort:

used devastatingly already by circletimessquare · 2015-04-13 08:56 · Score: 5, Interesting

apparently this is how sony got hacked

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
1. Re:used devastatingly already by ShaunC · 2015-04-13 09:12 · Score: 2
  
  I hadn't heard that for all the North Korea rabble-rousing and misdirection. Were there ever any real postmortem details? I remember seeing plenty of speculation, but none mentioning this attack; if the official report from Mandiant ever came out, it didn't cross my radar.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
2. Re:used devastatingly already by PRMan · 2015-04-13 09:19 · Score: 2
  
  Does anyone have a link for this?
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
3. Re:used devastatingly already by fuzzyf · 2015-04-13 09:50 · Score: 5, Interesting
  
  Man in the middle using SMB share. That requires someone to be on the local network to begin with.
  Could be used after pivoting, but not as a first foothold attack.
4. Re:used devastatingly already by bloodhawk · 2015-04-13 09:54 · Score: 2
  
  So you are saying it wasn't north korea as the US government has been claiming and it was actually someone on their local lan? where did you find this information?
5. Re:used devastatingly already by circletimessquare · 2015-04-13 14:08 · Score: 2
  
  there you go:
  http://www.securityweek.com/ha...
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
6. Re:used devastatingly already by circletimessquare · 2015-04-13 14:09 · Score: 2
  
  source:
  http://www.securityweek.com/ha...
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Wow, this *IS* old... by rickb928 · 2015-04-13 08:57 · Score: 5, Insightful

IIRC, we discussed this in MSE classes, the same ones where the instructor assured us we need not register a domain name for our internal network (!), and agreed that despite the lack of information from Microsoft, It was worth it to block SMB ports from the public networks. As well as others, such as SQL Server (1433/1434 at a minimum), AD (135,389,5722, and the list goes on), and other services we need not expose to nor listen on for external traffic, we rapidly got to the point where the reasonably responsible admin blocked by default, opened only what was necessary, and then directed these to the proper hosts inside the network.
This is slightly older than the Y2K bug. And still not really fixed? Microsoft's choices here have always come back to haunt them. NetDDE, OLE, the HTML viewers, and this, all making Outlook once the premier distribution method for viruses and all form of malware,
Interprocess friendliness has its cost. Ease of use goes both ways. The crooks are happy to take advantage of your features.

--
deleting the extra space after periods so i can stay relevant, yeah.
1. Re:Wow, this *IS* old... by mmell · 2015-04-13 09:02 · Score: 2, Interesting
  
  Yeah, but . . .
  Are there any Windows Administrators out there with I.Q.'s > 90 that knowingly and intentionally leave ports 137, 138, 139 and/or 445 open to the Intartubes?
2. Re:Wow, this *IS* old... by ageoffri · 2015-04-13 09:07 · Score: 2
  
  I'm sure there are Windows Administrators who would leave those ports open. Hopefully you have Network Administrators who know enough to block by default and require justification to open ports.
  
  --
  -- Slashdot, making the Left look conservative since 1997.
3. Re:Wow, this *IS* old... by David_Hart · 2015-04-13 09:13 · Score: 2
  
  Yeah, but . . .
  Are there any Windows Administrators out there with I.Q.'s > 90 that knowingly and intentionally leave ports 137, 138, 139 and/or 445 open to the Intartubes?
  If your Windows Admins are managing your firewalls, then you are in trouble... Usually it's either the network engineers or firewall Admins.
  This has been a non-issue for the simple fact that no one opens these ports to the Internet...
4. Re:Wow, this *IS* old... by holostarr · 2015-04-13 09:23 · Score: 2, Insightful
  
  Yes there are! I personally know one at my company who is as a matter of fact very good at what he does and incredibly knowledgeable. Your assumption that Microsoft products somehow attracts idiots more than other products is stupid.
5. Re:Wow, this *IS* old... by XanC · 2015-04-13 09:23 · Score: 2
  
  Last year I signed up for a dedicated server, and discovered that the provider's VPN server and their control panel server had Windows file sharing and remote desktop ports open to the world! And they wouldn't give me a refund. Losses cut and lesson learned...
6. Re:Wow, this *IS* old... by Gumbercules!! · 2015-04-13 15:07 · Score: 2, Interesting
  
  Yeah sadly, there's heaps of them. People who connect their Windows machine to the internet by establishing the PPPoE session from the machine, for one. People who rent a VM from a cloud provider and just get a straight up Windows box with no firewall, for two. If you think there's not a lot of those, believe me, there are. We run a cloud computing company and we frequently (ok, by frequently I mean a few times a year, I suppose - but we're just one company) get requests for people to have a Windows box with no firewall (other than the Windows one) because "it gets in the way", etc.
  
  As a service provider, I am not sure how to handle this because, technically, it's "their server". I mean, I can provide them all the advice I want but making them listen is another thing altogether.
  
  In one case, I showed the guy that I could map a drive to his server, over the public internet and that he needed to deny all ports other than the one he needed open (443) but it's like speaking to a child. They don't understand why it's a problem and they just want what they think they want and they want it, now.
  
  So I am not really sure how to handle this. Wherever I can, I don't give them the choice - I just enforce an upstream firewall but at the end of the day, if someone wants to pay money to own a VM and they're not (yet) causing any problems for anyone other than themselves...I can't be in business if I keep saying no to everyone. So yeah - there are plenty of Windows people out there who expose everything to the world.
So if your network is also from 1997 by silas_moeckel · 2015-04-13 09:09 · Score: 2

It requires a man in the middle attack on traffic that should never go across the internet outside a vpn. Yes it's a problem but not exactly a significant one for a well put together network.

--
No sir I dont like it.
1. Re:So if your network is also from 1997 by The-Ixian · 2015-04-13 09:43 · Score: 2
  
  My understanding is that this exploit simply requires you to have outbound SMB ports open.
  
  In my experience, most firewall setups (especially those in companies who don't have dedicated IT staff) allow unrestricted outbound communications.
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:So if your network is also from 1997 by LinuxIsGarbage · 2015-04-13 11:11 · Score: 2
  
  If your laptop is connecting to any random open wifi and does not have a strict firewall, it should get a STI aka Stupid Transmitted Infection.
  I was going to say "Even Windows is smart enough". Looking at the Windows 7 Firewall profile, even under "Public Network" profile (Coffee Shop, Airport, or directly connected to internet), SMB is allowed for the local subnet, which would limit attack surface on the Internet, at a Wifi hotspot could be deadly. Which I guess is why some hotspots disallow local traffic between peers.
original paper here by Anonymous Coward · 2015-04-13 09:58 · Score: 3, Informative

original paper here: http://cdn2.hubspot.net/hubfs/270968/SPEAR/RedirectToSMB_public_whitepaper.pdf
How hard is it to mandate any submission contain the source instead of some shill article?
Ceterum censeo by TeknoHog · 2015-04-13 10:05 · Score: 3, Funny

I remain vulnerable to serious 18 year olds, if you catch my drift.

--
Escher was the first MC and Giger invented the HR department.
Wish this were new or news by WaffleMonster · 2015-04-13 10:23 · Score: 2

I don't know how or why it came to this. The world is hooked on insecure authentication protocols. NTLMv2, Kerberos, plaintext, plaintext over encrypted tunnel protected by group secrets (sigh..) or certificates and dull thud of every flawed permutation of a challenge handshake system imaginable.
These things are employed virtually everywhere and the consequences are visible everywhere.
Haha I tricked you or your computer into connecting to my file system or my fake bank or my fake web site and because of that I now have your credentials and your f*****d.
Living with consequences has become so routine and institutionalized some find it difficult to see the problem at all ... instead resorting to blaming failure of a castle defense or operating in an unsafe environment rather than notice the root cause of the problem - broken authentication systems.
When the most widely deployed use of a secure authentication protocol is protecting an online role playing game I have no interest in Microsoft's (And all other vendors) lame excuses for not fixing these problems decades ago.
Article one giant spew of hyperbole by laughingskeptic · 2015-04-13 10:24 · Score: 5, Informative

The article states "the encryption method used was devised in 1998 and is weak by today’s standards ... Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability" as if Microsoft must remove the feature in order for Cylance to consider this resolved. Instead a number of improvements have been made to SMB since 1998 include support for HMAC-SHA256 (v2.0) and AES-CMAC (v3.0) hashing. http://www.windowsecurity.com/.... You are going need a little more than "$3000 worth of GPUs" to forward brute force the AES-CMAC hashed passwords.