Windows Remains Vulnerable To Serious 18-Year-Old SMB Security Flaw 171
Mark Wilson writes A serious security hole leaves millions of Windows users open to attack, making it possible to extract encrypted credentials from a target machine. Researchers at Cylance say the problem affects "any Windows PC, tablet or server" (including Windows 10) and is a slight progression of the Redirect to SMB attack discovered by Aaron Spangler way back in 1997. Redirect to SMB is essentially a man-in-the-middle attack which involves taking control of a network connection. As the name suggests, victims are then redirected to a malicious SMB server which can extract usernames, domains and passwords. Cylance also reports that software from companies such as Adobe, Oracle and Symantec — including security and antivirus tools — are affected.
used devastatingly already (Score:5, Interesting)
apparently this is how sony got hacked
Re: (Score:2)
I hadn't heard that for all the North Korea rabble-rousing and misdirection. Were there ever any real postmortem details? I remember seeing plenty of speculation, but none mentioning this attack; if the official report from Mandiant ever came out, it didn't cross my radar.
Re: (Score:3)
there you go:
http://www.securityweek.com/ha... [securityweek.com]
Re: (Score:2)
Soooo what exactly does that article have to do with this vulnerability? it is not mentioned in their, nor does the SMB worm mentioned make use of such a vulnerability? So think you definitely still need a citation.
Re: (Score:3)
Re: (Score:3)
source:
http://www.securityweek.com/ha... [securityweek.com]
Re:used devastatingly already (Score:5, Interesting)
Could be used after pivoting, but not as a first foothold attack.
Re: (Score:2)
yes, they probably had inside help
Re: (Score:2)
I think a lot of people have forgotten that Stuxnext required someone on the inside who had access to the Iranian centrifuge lab to kick off the party. Cultivating that inside asset was probably harder, and definitely more dangerous, than engineering the virus.
Re: (Score:2)
yeah the technical aspects of an exploit are always interesting
but a real devastating hack is always 90% boring and mundane social aspects
Re: (Score:1)
One would think that basic credential traversal would be the preferred method once inside. MITM redirection of SMB traffic would probably set of a few IDS alerts.
Re: (Score:3)
So you are saying it wasn't north korea as the US government has been claiming and it was actually someone on their local lan? where did you find this information?
Re: (Score:2)
They would just need a VPN login, easily obtainable through phishing.
Re: (Score:2)
With a VPN login, you can start looking for hosts on the internal network to attack... Chances are on a network of any significant size there will be at least one box which is vulnerable to something, either unpatched vulnerability or weak password.
If you look at an internet facing network, there are generally few exploitable things visible because exposure to the internet ensures that all the low hanging fruit has already been picked, but on an internal network there is all manner of easy stuff. Once you h
Re: (Score:2)
i *think* they had inside help, that's my own personal opinion, no source
i don't know all the details of the tool, maybe they didn't have inside help but just a little social engineering for a few hours one day. or maybe even the sony security was so rotten, they could set it all up from the outside
here's the article that mentions the attack:
http://www.securityweek.com/ha... [securityweek.com]
Re: (Score:2)
did you read the fucking article?
follow the link moron:
https://www.us-cert.gov/ncas/a... [us-cert.gov]
Re: (Score:2)
an SMB worm uses an SMB flaw, but that has nothing to do with this topic
got it
thanks for setting me straight genius
Re: (Score:2)
Re: (Score:2)
If you fell for it and are not a source of funding for IT security then you are "collatoral damage".
Re: (Score:2)
Re: (Score:1)
citation given
http://www.securityweek.com/ha... [securityweek.com]
Re: (Score:2)
the SMB worm doesn't use an SMB flaw genius?
Re: (Score:2)
no it doesn't
Grammar (Score:1)
"Software...are affected"? Has samzenpus ever heard of a mass noun?
Re: (Score:2)
Re: (Score:1)
It's a mass muon, you ass.
Re: (Score:2)
LMBO
Wow, this *IS* old... (Score:5, Insightful)
IIRC, we discussed this in MSE classes, the same ones where the instructor assured us we need not register a domain name for our internal network (!), and agreed that despite the lack of information from Microsoft, It was worth it to block SMB ports from the public networks. As well as others, such as SQL Server (1433/1434 at a minimum), AD (135,389,5722, and the list goes on), and other services we need not expose to nor listen on for external traffic, we rapidly got to the point where the reasonably responsible admin blocked by default, opened only what was necessary, and then directed these to the proper hosts inside the network.
This is slightly older than the Y2K bug. And still not really fixed? Microsoft's choices here have always come back to haunt them. NetDDE, OLE, the HTML viewers, and this, all making Outlook once the premier distribution method for viruses and all form of malware,
Interprocess friendliness has its cost. Ease of use goes both ways. The crooks are happy to take advantage of your features.
Re: (Score:3, Interesting)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
"Should" is pretty distinct from "is."
Re: (Score:3)
Yeah, but . . .
Are there any Windows Administrators out there with I.Q.'s > 90 that knowingly and intentionally leave ports 137, 138, 139 and/or 445 open to the Intartubes?
If your Windows Admins are managing your firewalls, then you are in trouble... Usually it's either the network engineers or firewall Admins.
This has been a non-issue for the simple fact that no one opens these ports to the Internet...
Re: (Score:1)
If your Windows Admins are managing your firewalls, then you are in trouble... Usually it's either the network engineers or firewall Admins.
It always strikes me as odd that people assume businesses have the resources to deploy "best practices" ~ aka having one specialist team member for every IT position (Net, Admin, DBA, analyst, help desk, etc). Most businesses (ie small / medium ones) can only scrape together the means to employ one person (if any) and hope they have the skills to keep the business applications running ~ pretty much _everything_ else is secondary.
Does this "best practice" mantra attempt to coach SME's to do the right thing
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:3)
Last year I signed up for a dedicated server, and discovered that the provider's VPN server and their control panel server had Windows file sharing and remote desktop ports open to the world! And they wouldn't give me a refund. Losses cut and lesson learned...
Re: (Score:2)
Oh I should also point out that they didn't use HTTPS for anything. Logging in to your account and everything was entirely HTTP. "Reliable Site" my ass...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It was ReliableSite.net. I tried to name them earlier but was too subtle. :-)
I was only out a month's worth, fortunately.
Re: (Score:2)
Re: (Score:2)
Done; see above
Re: (Score:3, Interesting)
Re: (Score:2)
Requiring a firewall is another poor design decision... You should be able to turn all these services off, but windows makes it extremely difficult to disable the default listening services and the recommendation is to hide them behind a firewall... If the system still runs with the services hidden so that noone can connect to them, then why exactly do they need to be listening at all?
Re: (Score:2)
On the other hand 'their' server has to share a network with other servers. If they refuse to use best current security practices, their server will start interfering with other servers.
So the answer is: don't sell them unsecured VMs. If they can't take the above argument and insist, at least charge them more based on the fact that you will have to clean up the mess eventually. And if you have many such custome
Re: (Score:2)
That's *nix (or any other) firewalling 101. The instructor was probably not addressing any individual known threat but the general idea that you don't let the outside world touch ports for internal use just in case something can get in some day.
Re: Wow, this *IS* old... (Score:2)
I shouldn't have left the impression that this instructor taught us to block but default. At that time MCSE didn't teach that. And he didn't either. We all discussed it over coffee among other things, like the stupidity of naming your intranet 'msft.net'. That was taught at one time.
Re: (Score:2)
"If it's not expecting traffic on that port on that interface then block it" always seemed like a simple way to start to me.
Re: Wow, this *IS* old... (Score:2)
That's a permissions problem. Users in one building shouldn't have permission to use printers in another.
Groups are your friend.
Re: (Score:2)
Re: Wow, this *IS* old... (Score:2)
That's group membership that matters. Machines do move however, so location-based membership is next. My current computers are all notebooks or tablets. Even at work.
Re: (Score:2)
The problem is poor design and inertia... It's not like a simple bug which can be fixed without changing how the software works, there are many design flaws in the protocol itself and fixing them would require incompatible changes. If you're going to drop current windows versions and go to an incompatible system, might as well go straight to linux.
Re: (Score:2)
Re: (Score:2)
So if your network is also from 1997 (Score:3)
It requires a man in the middle attack on traffic that should never go across the internet outside a vpn. Yes it's a problem but not exactly a significant one for a well put together network.
Re: (Score:3)
My understanding is that this exploit simply requires you to have outbound SMB ports open.
In my experience, most firewall setups (especially those in companies who don't have dedicated IT staff) allow unrestricted outbound communications.
Re: (Score:2)
Why on earth would any competent IT staff have SMB open outbound? If at all possible desktops should not be allowed to make direct connections to anything outside in a corp network.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
The problem is that SMB is not just a filesharing protocol, it provides access to whole heaps of other functionality at least on windows. If all you want to do is file sharing then SMB is a terrible choice.
Re: (Score:2)
Re: (Score:1)
try scp or rsync sometime: fully supported by all operating systems that try to be secure. Oh, you meant "GUI" access, in that case, use a web based service [fromdev.com] that allows directory views and uploads. Or use some dropbox like enterprise solution [aerofs.com]. In any case SMB is a terrible terrible solution. None of my *nix based boxes run it.
Disclaimer: I use scp and rsync - I have not used any of the other solutions.
Re: (Score:2)
Re: (Score:1)
Hence the reference to an enterprise solution, one that is targeted to windows even. Pretty much everything is better than the insecure disaster known as SMB.... and if you think those alternatives are "bad", then blame MS for foisting the horrors of insecure and crappy SMB on the masses.
I believe "Just because you can doesn't mean you should" applies to all facets of SMB like playing with frightened skunks (with similar results for those slow on the relationship)
Re: (Score:2)
I'd love to know the better solution for Mac, Windows and Linux access to network shares, and the network shares have to be performant, local (i.e no cloud sync), not require paid software, and support several tens of terabytes per shared filesystem. Oh, and use Active Directory permissions...
Re: (Score:1)
So there's your problem - you want this polished turd because it's all shiny, but it's still a turd. You never wondered why it's free? You will have to pay to get one of the secure ones if the host of other free solutions [slashdot.org] are not to your liking.
The real question with disk space being so damn cheap is why would you want a "performant, local" network share anyways with AD permissions to boot on 10s of TBs per FS? That sounds more like a content management system that you've co-opted SMB to do, and it is whol
Re: (Score:2)
Honestly, I'm not sure if you're a troll, or just someone who strongly believes if you don't do it your way, you're wrong.
I'm working in a research institution. We have limited funding from grants. We are doing X-Ray research, with detectors that output data on the order of 30GB a run, and there can be more than one run a day. This data, once generated, needs to be accessible by compute nodes, without hitting the acquisition disk. There isn't reliable down time between acquisitions, so rsyncs are hard to sc
Re: (Score:1)
Honestly, I'm not sure if you're a troll, or just someone who strongly believes if you don't do it your way, you're wrong.
Fortunately, I'm neither. I will, however, point out when something's just "wrong". (I know, it's easy to be a critic)
I'm working in a research institution. We have limited funding from grants. We are doing X-Ray research, with detectors that output data on the order of 30GB a run, and there can be more than one run a day....
So you have bounded the binary data problem, 30GB data sets with multiple sets generated a day. You also state that the acquisition disks cannot be hit while it's running. You don't state whether you can use a SAN, which would be your best technical option, although does cost some money but allows for processing, redundancy, backups, and offloading. The next best option would be a NAS system
Re: (Score:2)
Well, there's the experimental data, and then the administrative data. Those word docs need to be shared, backed up, etc. The various matlab and labview files need to be accessible from Sun Grid Engine nodes and local Windows, Scientific Linux and Mac OSX workstations.
We currently use a RedHat HA cluster that provides NFS and CIFS / SMB access to disk stored on iSCSI devices. So sort of a home build SAN I guess. We looked into better known commercial offerings, but basically they were 10x our budget. Unlike
Re: (Score:1)
I'd state the second is false, as you're forcing them into a windows environment, and, unless things have changed, many of those folks have used *nix flavors as well. Of course, you're stuck with the MS Office disease, which probably still has 10 years left before it clears up.
Given your constraints and situation and where you are, I don't believe any obviously
Re: (Score:2)
Oh, I'm not forcing anyone into a Windows environment. I strongly push them towards Linux and tell them it's the preferred environment at the lab, and all our infrastructure is Linux based. We just wanted to set up a data download station, and suggested Linux, but were told the external users aren't familar with Linux (I don't know how they run the experiment, where lots of it is based on Linux, but hey, not something I get to change), and will need Windows there.
We have plenty of Labview stuff which I'm to
Re: (Score:2)
If your laptop is connecting to any random open wifi and does not have a strict firewall, it should get a STI aka Stupid Transmitted Infection.
Re: (Score:3)
If your laptop is connecting to any random open wifi and does not have a strict firewall, it should get a STI aka Stupid Transmitted Infection.
I was going to say "Even Windows is smart enough". Looking at the Windows 7 Firewall profile, even under "Public Network" profile (Coffee Shop, Airport, or directly connected to internet), SMB is allowed for the local subnet, which would limit attack surface on the Internet, at a Wifi hotspot could be deadly. Which I guess is why some hotspots disallow local traffic between peers.
Re: (Score:2)
>having no idea what you're talking about
>throwing out NSA and MITM like theyre relevant here
Re: (Score:2)
This isn't a buffer overflow bug. In fact, it isn't a bug at all, but a design weakness.
Re: (Score:2)
its as if someone had been coding samba ... in the rain!
(GOML)
Re: (Score:2)
It's as if someone had been coding Samba ... in 1987!
Windows File-Sharing (Score:2, Troll)
Windows file-sharing on home machines has pretty much always been terrible. It's like a bunch of monkeys put it together. I am guessing they tasked one or two guys to add it to home machines when the bulk of a group was working on corporate file sharing (which is at least a bit more reliable), and the result was just a really bad design and code that has been sitting around the kernel forever. Getting two machines to talk to each other over an Ethernet cable has always been much harder than in linux. (I
original paper here (Score:3, Informative)
original paper here: http://cdn2.hubspot.net/hubfs/270968/SPEAR/RedirectToSMB_public_whitepaper.pdf
How hard is it to mandate any submission contain the source instead of some shill article?
Ceterum censeo (Score:4, Funny)
Re: (Score:2)
Wish this were new or news (Score:3)
I don't know how or why it came to this. The world is hooked on insecure authentication protocols. NTLMv2, Kerberos, plaintext, plaintext over encrypted tunnel protected by group secrets (sigh..) or certificates and dull thud of every flawed permutation of a challenge handshake system imaginable.
These things are employed virtually everywhere and the consequences are visible everywhere.
Haha I tricked you or your computer into connecting to my file system or my fake bank or my fake web site and because of that I now have your credentials and your f*****d.
Living with consequences has become so routine and institutionalized some find it difficult to see the problem at all ... instead resorting to blaming failure of a castle defense or operating in an unsafe environment rather than notice the root cause of the problem - broken authentication systems.
When the most widely deployed use of a secure authentication protocol is protecting an online role playing game I have no interest in Microsoft's (And all other vendors) lame excuses for not fixing these problems decades ago.
Re: (Score:2)
Why do you lump Kerberos in there? Kerberos afaik is fine security wise.
Kerberos client authentication is subject to offline dictionary attack.
Re: (Score:2)
Do you have an opinion of a relatively common method that is better? My issue with many is that it jusst sends the password to the server for verification, trusting that TLS will protect it. Given that it's exceedingly common for clients to not verify the certs, this is also fraught with risk.
Recommend looking into a PAKE algorithm. The advantage they are able to provide mutual proof of possession of a common secret without leaking knowledge that may be used to determine what that secret is. These systems are not vulnerable to offline attack and provide keying to encrypt the network session such that you can carry on a secure conversation post authentication.
TLS-SRP is currently my favorite option. Currently shipping with many commonly used SSL toolkits. Supported by Apache and CURL but still
Article one giant spew of hyperbole (Score:5, Informative)
Re: (Score:1)
There may be a good reason MS left some of it in place. Anybody want to offer speculation?
Re: (Score:1)
Couldn't they switch off the related feature or service by default in the newer OS versions, and only organizations with specialized equipment would need to switch them on? True, many orgs probably wouldn't know about the change or their reliance on an old feature, and be surprised. But generally a major OS upgrade will have changes like that, and should be tested for before production. But it's not always easy to fully test something that relies on multiple servers and services.
Re: (Score:2)
The article states "the encryption method used was devised in 1998 and is weak by todayâ(TM)s standards ... Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability" as if Microsoft must remove the feature in order for Cylance to consider this resolved. Instead a number of improvements have been made to SMB since 1998 include support for HMAC-SHA256 (v2.0) and AES-CMAC (v3.0) hashing.
When faced with claims of security it is necessary to fully understand the underlying basis of trust without which security is a mirage.
What is the mechanism by which one system or user authenticates the identity of another system or user and why is this process trustworthy?
Without secure authentication and proper binding encryption by itself is useless.
You are going need a little more than "$3000 worth of GPUs" to forward brute force the AES-CMAC hashed passwords.
How are the key parameters to AES and HMACs derived? If an attacker can figure that out then a whopping $0 worth of GPUs will suffice.
So how about it... w
Re: (Score:1)
Re: (Score:2)
Although SMB has been improved to now include AES-CMAC (on Win8/2012) the underlying hashing algorithm used for authentication is still based on LM, NTLMv1, or NTLMv2.
Only Windows Server 2003 and below will accept LM/NTLMv1 by default, which means as far as supported systems only 2003, and it is EOL July 14, 2015. You'd have to be desperate to still be running any 2003, and if you were you can disable LM/NTLMv1 via GPO. Vista/2008 and above will only accept NTLMv2 responses.
Re: (Score:2)
Only Windows Server 2003 and below will accept LM/NTLMv1 by default, which means as far as supported systems only 2003, and it is EOL July 14, 2015. You'd have to be desperate to still be running any 2003, and if you were you can disable LM/NTLMv1 via GPO. Vista/2008 and above will only accept NTLMv2 responses.
NTLMv2 is broke too.
Re: (Score:2)
NTLMv2 is broke too.
NTLMv2 isn't broken, but it definitely isn't as good (secure or featureful) as Kerberos, which is why Windows uses Kerberos by default. If you're in a domain, then Windows will only fall back to NTLMv2 for SMB if you do something that would prevent a Kerberos ticket from being verified (like access an SMB share by IP instead of name). It's really just a simpler fallback mechanism now. You could prevent that by requiring signing for all SMB connections, which I believe is only enabled by default on domain
Re: (Score:2)
NTLMv2 isn't broken, but it definitely isn't as good which is why Windows uses Kerberos by default.
Both NTLMv2 and Kerberos are broken because an attacker is able to conduct offline brute force attacks against credentials simply by observing challenge/response communication between client and server.
This constitutes an unacceptable risk because the vast majority of users do not use passwords with sufficient entropy to withstand an offline as attack conducted by modern, distributed and specialized hardware. In the end your looking at an easy >90% success rate against most targets vs guaranteed 100% ra
Those 6575 day attacks are the worst! (Score:2)
Probably unfixable ... (Score:2)
The applications that are providing the attack vector might be fixable. It isn't really a good thing for a remote attacker to be able to get your machine to try to open a file, especially a remote one. The main problem, from the sounds of it, is the sheer number of applications affected.
Reminiscent of DLL hijacking attacks, really.
Re: (Score:2)
You would need to disable the Workstation service, not just the Server service.
Re: (Score:2)
Heartbleed was around for 2 years before it was discovered.