1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

3/15/2020

0 Comments

How to Block Malicious SMB Traffic from Entering or Leaving Your Organization’s Network

 
malicious SMB traffic

How to Block Malicious SMB Traffic from Entering or Leaving Your Organization’s Network

In recent years, vulnerabilities in SMB, short for Server Message Block, have been exploited by attackers in entering or leaving their victims’ networks.

What Is SMB?

SMB is a network file sharing and data architecture protocol that’s used by major operating systems such as Windows, MacOS and Linux. A client – referring to a computer used to access a server through a network – uses SMB to access data on a server. A server – referring to a computer that stores a wide variety of files such as application and data files – uses SMB for workloads like clustering and replication.

SMB was originally developed in the 80s by IBM. Microsoft adopted this protocol but made considerable modifications. Microsoft’s SMB protocol has since undergone 3 versions: Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3).

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, while the SMBv3 protocol was introduced in Windows 8 and Windows Server 2012. Microsoft publicly deprecated the SMBv1 protocol in 2014.

SMBv1 Security Vulnerability

Ned Pyle of Microsoft described SMBv1 as much like the 80s original version, that is, for a world that no longer exists – “a world without malicious actors, without vast sets of important data, without near-universal computer usage”.

According to Pyle, key protections offered by later SMB protocol versions aren’t found in SMBv1, including the following:

  • Pre-authentication Integrity (SMB 3.1.1+) that protects against security downgrade attacks;
  • Secure Dialect Negotiation (SMB 3.0, 3.02) that protects against security downgrade attacks;
  • Encryption (SMB 3.0+) that prevents inspection of data on the wire, man-in-the-middle attack (MiTM) attacks;
  • Insecure guest auth blocking (SMB 3.0+ on Windows 10+) that protects against MiTM attacks; and
  • Better message signing (SMB 2.02+) as HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB 2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+.

On March 14, 2017, Microsoft issued a security update, also known as a patch, fixing the vulnerability in SMBv1. According to Microsoft, this vulnerability could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

Nearly 2 months after the release of the patch for SMBv1, on May 12, 2017, the WannaCry malicious software (malware) infected hundreds of thousands of computers worldwide. The group behind WannaCry exploited the security vulnerability in SMBv1.

SMBv3 Security Vulnerability

Last March 12, Microsoft issued a patch for a security vulnerability in SMBv3. According to Microsoft, this security vulnerability, referred to as CVE-2020-0796, could allow an attacker to gain the ability to execute code on the target SMB server or SMB client.

Microsoft said that in order to exploit the vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against an SMB Client, meanwhile, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

CVE-2020-0796 vulnerability exists in a new feature that was added to Windows 10 version 1903, including the following versions:

  • Windows 10 Version 1903 for 32-bit Systems;
  • Windows 10 Version 1903 for ARM64-based Systems;
  • Windows 10 Version 1903 for x64-based Systems;
  • Windows 10 Version 1909 for 32-bit Systems;
  • Windows 10 Version 1909 for ARM64-based Systems;
  • Windows 10 Version 1909 for x64-based Systems;
  • Windows Server, version 1903 (Server Core installation); and
  • Windows Server, version 1909 (Server Core installation).

Cybersecurity Best Practices in Blocking Malicious SMB Traffic

Keeping your operating systems up to date and using only supported operating systems are two of the effective measures in blocking malicious SMB traffic.

In the case of the WannaCry attack, many of the infected computers failed to apply Microsoft’s March 14, 2017 security update. It’s, therefore, important to keep your operating system up to date.

Other victims of the WannaCry attack were unsupported computers – those that no longer received security updates as these computers already reached their end of life or end of support. It’s important to only use operating systems that receive regular security updates or those that still haven’t reached their end of life.

The high number of WannaCry victims showed that high number of Windows operating system users had used unsupported operating systems and hadn’t installed Microsoft’s March 14, 2017 security update.

For the SMBv3 security vulnerability CVE-2020-0796, Microsoft recommends the following mitigating measures:

  1. Block TCP port 445 at the enterprise perimeter firewall

According to Microsoft, blocking TCP port 445 at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit CVE-2020-0796 vulnerability. This mitigating measure helps avoid internet-based attacks – those that originate outside the enterprise perimeter. Failure, however, to apply Microsoft’s March 12, 2020 security update could still leave vulnerable systems to attacks from within their enterprise perimeter.

  1. Disable SMBv3 compression

One workaround for CVE-2020-0796 vulnerability, especially for organizations that can’t immediately apply the March 12, 2020 security update due to operational reasons is by disabling SMBv3 compression.

Disabling SMBv3 compression blocks unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Microsoft, however, warned that disabling SMBv3 compression doesn’t prevent the exploitation of SMB clients.

 

0 Comments

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2025
    February 2025
    January 2025
    November 2024
    October 2024
    September 2024
    July 2024
    June 2024
    April 2024
    March 2024
    February 2024
    January 2024
    December 2023
    November 2023
    October 2023
    September 2023
    August 2023
    July 2023
    June 2023
    May 2023
    April 2023
    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    AI Security
    Artificial Intelligence
    ATP
    Awareness Training
    Blockchain
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cybercrime
    Cyber Espionage
    Cyber Insurance
    Cyber Security
    Cybersecurity
    Cybersecurity Audit
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    Data Privacy
    DDoS
    Email Security
    Endpoint Protection
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    Incident Management
    Insider Threat
    IoT
    Machine Learning
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third Party Risk
    Third-Party Risk
    VCISO
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
SME CyberShield
​Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2025 Driz Group Inc. All rights reserved.
Photo from GotCredit