Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Won't Patch 20-Yr-Old SMBv1 Vulnerability (You Should Just Turn the Service Off) (onmsft.com)

Posted by msmash on from the security-woes dept.

An anonymous reader shares a news post: Following the recent WannaCry and Petya ransomware attacks, Microsoft recommended all Windows 10 users to remove the unused but vulnerable SMBv1 file sharing protocol from their PCs. This is because both variants of the ransomware actually used the same SMBv1 exploit to replicate through network systems, even though it seems that Petya mostly affected Windows PCs in Ukraine. Anyway, if you haven't turned off the protocol on the PC already, you really should: Not only because new WannaCry/Petya variants could once again use the same vulnerability again to encrypt your files, but because another 20-year-old flaw has just been unveiled during the recent DEF CON hacker conference. The SMB security flaw called "SMBLoris" was discovered by security researchers at RiskSense, who explained that it can lead to DoS attacks affecting every version of the SMB protocol and all versions of Windows since Windows 2000. More importantly, a Raspberry Pi and just 20 lines of Python code are enough to put a Windows server to its knees.

20 of 131 comments (clear)

  1. why was SMB1 still enabled 20 years later? by Anonymous Coward · · Score: 5, Insightful

    Why doesn't Microsoft patch the OS so that SMB1 is disabled entirely? I mean MS already shoves all sorts of crap down your throat anyways, why can't that unshove shit?

    1. Re:why was SMB1 still enabled 20 years later? by suutar · · Score: 3, Informative

      Planned for Windows 10 Fall Creators Update, according to TFA

    2. Re:why was SMB1 still enabled 20 years later? by The+MAZZTer · · Score: 2

      Probably because some third-party apps still use it. Google recently released an app for Android which provides SMB client functionality. Guess what? It only supported SMB1. This was released AFTER the SMB1 deprecation announcement. Since then they did update the app with modern SMB support.

  2. So when will HP upgrade? by GerbilSoft · · Score: 5, Interesting

    Most of HP's multi-function printers with Scan To Network only support SMB1. When will they issue a firmware update that adds support for SMB2?

    1. Re:So when will HP upgrade? by DigiShaman · · Score: 2

      EOL means SOL. OTOH, sales are about to increase at HP.

      In other news, recycling facilitates that haul off e-waste are about to get an influx in obsolete equipment.

      Hey, don't hate me, I'm just the messenger.

      --
      Life is not for the lazy.
    2. Re:So when will HP upgrade? by nine-times · · Score: 2

      It's not just HP. It's a bunch of equipment-- some of it not even that old.

      Oh well. You'll have to buy a new one.

    3. Re:So when will HP upgrade? by OhPlz · · Score: 4, Informative

      This is why you don't buy hardware from HP.

    4. Re:So when will HP upgrade? by AmiMoJo · · Score: 4, Funny

      Also, thanks to TFA for providing instructions on how to disable SMB1.

      Also why the hell does Windows have Super Mario Brothers 1 and 2 built in?!?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:So when will HP upgrade? by Anonymous Coward · · Score: 5, Insightful

      Or operating systems from MS.

    6. Re:So when will HP upgrade? by Dog-Cow · · Score: 2

      Is there any universe in which loss of power is relevant to setting up a special server to talk to old hardware? Or do you just spout random shit as a vocation?

  3. Ummmmm Link for how to turn it off? by A10Mechanic · · Score: 5, Informative

    https://support.microsoft.com/...

    1. Re:Ummmmm Link for how to turn it off? by sexconker · · Score: 4, Informative

      Keep in mind there's a server component and a client component (regardless of whether or not you have a "server" OS), and you probably want to disable both.

  4. Re:my two cents... by BronsCon · · Score: 3, Insightful

    I couldn't see the move as any more disastrous as entire hospitals going offline...

    What, pray tell, do you think happens when the whole reason the hospital has SMB1 enabled on its systems in the first place is to talk to multi-hundred-thousand- and multi-million-dollar pieces of medical equipment (think MRI and such) that don't speak SMB2?

    Therein lies the rub.

    Yes, those machines should be on an air-gapped network shared only with the workstations used to control and operate them. No, the vendors of those machines will not allow that because they want realtime monitoring of the equipment. Blame those vendors for Microsoft really not being able to do anything about this; it's not like hospitals can say "fine, if you won't sell us a more up-to-date MRI we just won't have one at all", they'd face liability for not utilizing every available means of diagnosis and treatment.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  5. Re:People still USE SMBv1 by BronsCon · · Score: 3, Informative

    The SMB1 protocol is vulnerable. An implementation lacking the vulnerability would be incomplete and, likely, nonfunctional.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  6. Microsoft list of SMB1 products by Traf-O-Data-Hater · · Score: 4, Informative

    Agreed, there is a huge lot of older but still functional equipment that only talks SMB1. Microsoft has put together this list, and it surely isn't everything: https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/

  7. Re:my two cents... by BronsCon · · Score: 2

    VLANs aren't a perfect solution, switch firmware can potentially be exploited and we're talking about potentially life-and-death critical infrastructure. Beyond that, if the vendors want the equipment on the public internet (which they do, which you'd understand had you read my entire post before spouting off), VLANs aren't really a solution.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  8. You missed the patch for systemd. by jimtheowl · · Score: 2, Insightful

    https://www.freebsd.org/

  9. Stuck supporting it because of OS X. by aaarrrgggh · · Score: 3, Informative

    OS X still has such miserable SMB client we are stuck with SMB1/CIFS to maintain some semblance of reliability and speed.

  10. Re: my two cents... by Spliffster · · Score: 2

    I work in a hospital and you are right. Multi million dollar FDA approved equipment is slow to get updates. The larger the company the worse the service (I am looking at you GE). However, MRIs should talk DICOM and not SMB. SMB would be a very stupid option!

  11. Re: my two cents... by BronsCon · · Score: 2

    My point was that there is plenty of equipment in use today (mostly high-end and expensive printers) which, of the file transfer protocols Windows speaks natively, only speak SMB1, and that the fault for those systems being online often lies with vendors, while the fault for those systems being misconfigured and the network they are on being vulnerable often lies with the IT department. I framed my argument in terms of a hospital because that's what I was replying to.

    And you should know that many hospitals do use printers affected by this.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.