3/15/2020

How to Block Malicious SMB Traffic from Entering or Leaving Your Organization’s Network

In recent years, vulnerabilities in SMB, short for Server Message Block, have been exploited by attackers in entering or leaving their victims’ networks.

What Is SMB?

SMB is a network file sharing and data architecture protocol that’s used by major operating systems such as Windows, MacOS and Linux. A client – referring to a computer used to access a server through a network – uses SMB to access data on a server. A server – referring to a computer that stores a wide variety of files such as application and data files – uses SMB for workloads like clustering and replication.

SMB was originally developed in the 80s by IBM. Microsoft adopted this protocol but made considerable modifications. Microsoft’s SMB protocol has since undergone 3 versions: Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3).

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, while the SMBv3 protocol was introduced in Windows 8 and Windows Server 2012. Microsoft publicly deprecated the SMBv1 protocol in 2014.

SMBv1 Security Vulnerability

Ned Pyle of Microsoft described SMBv1 as much like the 80s original version, that is, for a world that no longer exists – “a world without malicious actors, without vast sets of important data, without near-universal computer usage”.

According to Pyle, key protections offered by later SMB protocol versions aren’t found in SMBv1, including the following:

Pre-authentication Integrity (SMB 3.1.1+) that protects against security downgrade attacks;
Secure Dialect Negotiation (SMB 3.0, 3.02) that protects against security downgrade attacks;
Encryption (SMB 3.0+) that prevents inspection of data on the wire, man-in-the-middle attack (MiTM) attacks;
Insecure guest auth blocking (SMB 3.0+ on Windows 10+) that protects against MiTM attacks; and
Better message signing (SMB 2.02+) as HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB 2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+.

On March 14, 2017, Microsoft issued a security update, also known as a patch, fixing the vulnerability in SMBv1. According to Microsoft, this vulnerability could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

Nearly 2 months after the release of the patch for SMBv1, on May 12, 2017, the WannaCry malicious software (malware) infected hundreds of thousands of computers worldwide. The group behind WannaCry exploited the security vulnerability in SMBv1.

SMBv3 Security Vulnerability

Last March 12, Microsoft issued a patch for a security vulnerability in SMBv3. According to Microsoft, this security vulnerability, referred to as CVE-2020-0796, could allow an attacker to gain the ability to execute code on the target SMB server or SMB client.

Microsoft said that in order to exploit the vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against an SMB Client, meanwhile, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

CVE-2020-0796 vulnerability exists in a new feature that was added to Windows 10 version 1903, including the following versions:

Windows 10 Version 1903 for 32-bit Systems;
Windows 10 Version 1903 for ARM64-based Systems;
Windows 10 Version 1903 for x64-based Systems;
Windows 10 Version 1909 for 32-bit Systems;
Windows 10 Version 1909 for ARM64-based Systems;
Windows 10 Version 1909 for x64-based Systems;
Windows Server, version 1903 (Server Core installation); and
Windows Server, version 1909 (Server Core installation).

Cybersecurity Best Practices in Blocking Malicious SMB Traffic

Keeping your operating systems up to date and using only supported operating systems are two of the effective measures in blocking malicious SMB traffic.

In the case of the WannaCry attack, many of the infected computers failed to apply Microsoft’s March 14, 2017 security update. It’s, therefore, important to keep your operating system up to date.

Other victims of the WannaCry attack were unsupported computers – those that no longer received security updates as these computers already reached their end of life or end of support. It’s important to only use operating systems that receive regular security updates or those that still haven’t reached their end of life.

The high number of WannaCry victims showed that high number of Windows operating system users had used unsupported operating systems and hadn’t installed Microsoft’s March 14, 2017 security update.

For the SMBv3 security vulnerability CVE-2020-0796, Microsoft recommends the following mitigating measures:

Block TCP port 445 at the enterprise perimeter firewall

According to Microsoft, blocking TCP port 445 at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit CVE-2020-0796 vulnerability. This mitigating measure helps avoid internet-based attacks – those that originate outside the enterprise perimeter. Failure, however, to apply Microsoft’s March 12, 2020 security update could still leave vulnerable systems to attacks from within their enterprise perimeter.

Disable SMBv3 compression

One workaround for CVE-2020-0796 vulnerability, especially for organizations that can’t immediately apply the March 12, 2020 security update due to operational reasons is by disabling SMBv3 compression.

Disabling SMBv3 compression blocks unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Microsoft, however, warned that disabling SMBv3 compression doesn’t prevent the exploitation of SMB clients.

0 Comments

Cybersecurity Blog