Thought leadership. threat analysis, news and alerts.
How to Block Malicious SMB Traffic from Entering or Leaving Your Organization’s Network
In recent years, vulnerabilities in SMB, short for Server Message Block, have been exploited by attackers in entering or leaving their victims’ networks.
What Is SMB?
SMB is a network file sharing and data architecture protocol that’s used by major operating systems such as Windows, MacOS and Linux. A client – referring to a computer used to access a server through a network – uses SMB to access data on a server. A server – referring to a computer that stores a wide variety of files such as application and data files – uses SMB for workloads like clustering and replication.
SMB was originally developed in the 80s by IBM. Microsoft adopted this protocol but made considerable modifications. Microsoft’s SMB protocol has since undergone 3 versions: Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3).
The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, while the SMBv3 protocol was introduced in Windows 8 and Windows Server 2012. Microsoft publicly deprecated the SMBv1 protocol in 2014.
SMBv1 Security Vulnerability
Ned Pyle of Microsoft described SMBv1 as much like the 80s original version, that is, for a world that no longer exists – “a world without malicious actors, without vast sets of important data, without near-universal computer usage”.
According to Pyle, key protections offered by later SMB protocol versions aren’t found in SMBv1, including the following:
On March 14, 2017, Microsoft issued a security update, also known as a patch, fixing the vulnerability in SMBv1. According to Microsoft, this vulnerability could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
Nearly 2 months after the release of the patch for SMBv1, on May 12, 2017, the WannaCry malicious software (malware) infected hundreds of thousands of computers worldwide. The group behind WannaCry exploited the security vulnerability in SMBv1.
SMBv3 Security Vulnerability
Last March 12, Microsoft issued a patch for a security vulnerability in SMBv3. According to Microsoft, this security vulnerability, referred to as CVE-2020-0796, could allow an attacker to gain the ability to execute code on the target SMB server or SMB client.
Microsoft said that in order to exploit the vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against an SMB Client, meanwhile, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
CVE-2020-0796 vulnerability exists in a new feature that was added to Windows 10 version 1903, including the following versions:
Cybersecurity Best Practices in Blocking Malicious SMB Traffic
Keeping your operating systems up to date and using only supported operating systems are two of the effective measures in blocking malicious SMB traffic.
In the case of the WannaCry attack, many of the infected computers failed to apply Microsoft’s March 14, 2017 security update. It’s, therefore, important to keep your operating system up to date.
Other victims of the WannaCry attack were unsupported computers – those that no longer received security updates as these computers already reached their end of life or end of support. It’s important to only use operating systems that receive regular security updates or those that still haven’t reached their end of life.
The high number of WannaCry victims showed that high number of Windows operating system users had used unsupported operating systems and hadn’t installed Microsoft’s March 14, 2017 security update.
For the SMBv3 security vulnerability CVE-2020-0796, Microsoft recommends the following mitigating measures:
According to Microsoft, blocking TCP port 445 at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit CVE-2020-0796 vulnerability. This mitigating measure helps avoid internet-based attacks – those that originate outside the enterprise perimeter. Failure, however, to apply Microsoft’s March 12, 2020 security update could still leave vulnerable systems to attacks from within their enterprise perimeter.
One workaround for CVE-2020-0796 vulnerability, especially for organizations that can’t immediately apply the March 12, 2020 security update due to operational reasons is by disabling SMBv3 compression.
Disabling SMBv3 compression blocks unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Microsoft, however, warned that disabling SMBv3 compression doesn’t prevent the exploitation of SMB clients.
Steve E. Driz, I.S.P., ITCP