Large scale Windows SMB vulnerability puts user login credentials at risk

An important vulnerability labeled “Redirect to SMB” has been uncovered by Cylance. This vulnerability allows attackers to steal sensitive login information using a new technique. All devices running Windows (even the preview of the latest Windows 10) are affected and the list of vulnerable software packages is huge as well. The vulnerability was recently disclosed to the public by Carnegie Mellon University CERT who have been working with the several affected software vendors for the last few weeks to help resolve the issue.

From Server Message-Block to Unauthorized Access-Allow

Server message block or SMB operates as an application-layer network protocol and is mainly used in order to enable shared access to files, printers and miscellaneous communications between nodes on a network. In this case, the communications between the victim’s computer and a legitimate web server could be hijacked using man-in-the-middle attacks and the traffic redirected through malicious SMB servers. These servers would allow the attackers to retrieve the victim’s username, domain and hashed password. Thus, this is another technique that can be used by cyber criminals to steal important login data. The following illustration describes the scenario:

The redirect to SMB vulnerability is not the first of its kind. According to Brain Wallace of Cylance:

The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word “file” (such as file://1.1.1.1/) to Internet Explorer  would cause the operating system to attempt to authenticate with a SMB server at the IP address 1.1.1.1. It’s a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network. These “file” URLs could be provided as an image, iframe, or any other web resource resolved by the browser.

Microsoft ignored the previous vulnerability and left it unpatched, hopefully that will not be the case here.

A large scale vulnerability that even affects antivirus programs

So far 31 vulnerable applications have been discovered including popular applications like Adobe Reader, Apple QuickTime, Apple Software Update, Internet Explorer, Windows Media Player, Excel 2010 and Github for Windows.

The list even includes antivirus/anti-malware programs! The following security applications are affected:

• Symantec’s Norton Security Scan
• AVG Free
• BitDefender Free
• Comodo Antivirus

Due to the complicated nature of the vulnerability, it is expected that it will mostly be used for targeted attacks. However, cyber criminals rarely lack imagination so there could be several different scenarios.

The following types of attacks could make use of this vulnerability:

• Targeted attacks with sophisticated planning
• Attacks using Malvertising (malicious advertising)
• Attacks through shared wifi access points in locations like Hotels and Coffee shops

While we wait for a patch, the simplest solution is to completely block outbound traffic from the ports TCP 139 and TCP 445 using a firewall. Hopefully Microsoft will take this major security issue seriously and release a fix soon.

Have a nice (vulnerability-free) day!