Large scale Windows SMB vulnerability puts user login credentials at risk

29262117_sAn important vulnerability labeled “Redirect to SMB” has been uncovered by Cylance. This vulnerability allows attackers to steal sensitive login information using a new technique. All devices running Windows (even the preview of the latest Windows 10) are affected and the list of vulnerable software packages is huge as well. The vulnerability was recently disclosed to the public by Carnegie Mellon University CERT who have been working with the several affected software vendors for the last few weeks to help resolve the issue.

From Server Message-Block to Unauthorized Access-Allow

Server message block or SMB operates as an application-layer network protocol and is mainly used in order to enable shared access to files, printers and miscellaneous communications between nodes on a network. In this case, the communications between the victim’s computer and a legitimate web server could be hijacked using man-in-the-middle attacks and the traffic redirected through malicious SMB servers. These servers would allow the attackers to retrieve the victim’s username, domain and hashed password. Thus, this is another technique that can be used by cyber criminals to steal important login data. The following illustration describes the scenario:

Illustration of the Redirect to SMB vulnerability (source http://blog.cylance.com)

The redirect to SMB vulnerability is not the first of its kind. According to Brain Wallace of Cylance:

The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word “file” (such as file://1.1.1.1/) to Internet Explorer  would cause the operating system to attempt to authenticate with a SMB server at the IP address 1.1.1.1. It’s a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network. These “file” URLs could be provided as an image, iframe, or any other web resource resolved by the browser.

Microsoft ignored the previous vulnerability and left it unpatched, hopefully that will not be the case here.

A large scale vulnerability that even affects antivirus programs

So far 31 vulnerable applications have been discovered including popular applications like Adobe Reader, Apple QuickTime, Apple Software Update, Internet Explorer, Windows Media Player, Excel 2010 and Github for Windows.

The list even includes antivirus/anti-malware programs! The following security applications are affected:

  • Symantec’s Norton Security Scan
  • AVG Free
  • BitDefender Free
  • Comodo Antivirus

Due to the complicated nature of the vulnerability, it is expected that it will mostly be used for targeted attacks. However, cyber criminals rarely lack imagination so there could be several different scenarios.

The following types of attacks could make use of this vulnerability:

  • Targeted attacks with sophisticated planning
  • Attacks using Malvertising (malicious advertising)
  • Attacks through shared wifi access points in locations like Hotels and Coffee shops

While we wait for a patch, the simplest solution is to completely block outbound traffic from the ports TCP 139 and TCP 445 using a firewall. Hopefully Microsoft will take this major security issue seriously and release a fix soon.

Have a nice (vulnerability-free) day!

  • B.Cord Edleman Jr

    You could also just use a VPN. ;)

  • Tauseef

    Here they should try vpn which is best for this purpose and specially they can get from vpnranks .com

  • Glenn McGrew II

    So Bitdefender AV Free, the company which Emsisoft partnered with for your dual-engine technology, has this problem? Any idea when this will be resolved?

    It might be nice to explain to readers how to block those ports in Windows Firewall….

  • Glenn McGrew II

    Windows 7:
    Click Start >> Control Panel >> Windows Firewall
    On the far left side, click “Advanced Settings”. A new window will open.
    On the far left side, click “Outbound Rules.”
    On the far right side, click “New Rule…” A new window will open.
    A list of choices with radio (round) buttons will appear. Click “Port”, and then the “Next >” button.
    You will see 2 pairs of choices on the new screen. For the upper pair, it should be set to “TCP”. For the lower pair, it should be set to “Specific remote ports:” and you should click in the white data entry field to the right of it.
    Type in “139, 445” (but not the quotation marks – there is an example below the field if you’re confused). Then click the “Next >” button.
    It should be set to “Block the connection.” Then click the “Next >” button.
    All options should be check-marked. Then click the “Next >” button.
    For the name, type something you’ll understand later, like “SMB Vulnerability Fix”.
    For the description, again type something you’ll understand later, like “Blocks outgoing TCP ports 139 & 449”. Then click the “Finish” button.

    • Robert Burger

      Last line where it says, “TCP ports 139 & 449”.
      Believe it should say, “TCP ports 139 & 445”.

      • Glenn McGrew II

        Thanks, I fixed it!