Microsoft has announced that the SMBv1 SMBloris bug described at DEF CON won’t be patched because it could be fixed simply blocking incoming connections.
Recently security researchers at RiskSense have identified a 20-year-old Windows SMB vulnerability they called SMBloris (a nod to the Slowloris DoS attack.), they presented their findings at the recent DEF CON hacker conference.
The exploit is a Denial of Service (DoS) attack affecting “every version of the SMB protocol and every Windows version dating back to Windows 2000.” Like most DoS attacks, the target system is overwhelmed by multiple service requests rendering it unavailable. Most modern systems require coordination of a massive number of attacking systems to overwhelm the target, referred to as a Distributed Denial of Service (DDoS) attack. However, the flaws discovered in the Windows SMB service are easily exploited by a single, low-powered computer.
Microsoft has announced that the SMBv1 bug described at DEF CON won’t be patched because it could be fixed simply blocking connections coming from the Internet.
“The reason they say it’s a moderate issue is because it does require opening many connections to the server, but you could do it all from a single machine, and a Raspberry Pi could take down the beefiest server”. explained RiskSense researchers Sean Dillon.
Now that SMBLoris is dropped at DEF CON, time to drop it on Twitter:
The first 3 bytes of an SMB connection are an NBSS header,
The SMBloris is a memory handling bug that could be exploited by attackers to shut down big web servers with small computers.
Of course, attackers can trigger the SMBloris only if the target machine has SMBv1 exposed to the Internet, that’s why Microsoft argued that it is just a configuration issue.
NBSS is the NetBIOS Session Service protocol, every connection to it allocates 128 KB of memory that is freed when the connection is closed. The connection is closed after 30 seconds if no activity is performed.
With 65535 TCP ports available the attackers can fill up more than 8 GB, powering DDoS attack on both IPv4 and IPv6 it is possible to reach 16 GB. The volume could be doubled (32 GB) using two IPs, they can fill 32 GB.
The attack triggers the memory saturation for NBSS and it is necessary to reboot the server in order to restore a normal operation.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.