Astute readers may have been following the recent news around "SMBLoris" — a proof-of-concept exploit that takes advantage of a vulnerability in the implementation of SMB services on both Windows and Linux, enabling attackers to "kill you softly" with a clever, low-profile application-level denial of service (DoS). This vulnerability impacts all versions of Windows and Samba (the Linux software that provides SMB services on that platform) and Microsoft has stated that is has no current intention to provide a fix for the issue.
Researchers Sean Dillon (Twitter: @zerosum0x0) and Jenna Magius (Twitter: @jennamagius) found the original vulnerability in June (2017) and noted that it was an apparent bug in SMBv1 (you'll remember that particular string of letters from both WannaCry and "NotPetya" outbreaks this year), and Jenna Magius was one of the researchers who more recently noted that all Windows systems — including Windows 10 — exposing port 445 are vulnerable (i.e. disabling SMBv1 won't stop attacks).
This means that the current situation is that all Windows systems exposing port 445 and the majority of Linux systems exposing port 445 are vulnerable to this application-level denial of service attack. If the attack is successful, the system being attacked will need to be rebooted and will still be vulnerable. Researchers have noted that this vulnerability is similar to one from 2009 — Slowloris — that impacted different types of systems with the same technique. It appears, however, that SMBLoris can have a much faster negative impact even on Windows systems with robust hardware configurations.
Is The World Ending?
Yes…in approximately 7.5 billion years when our Sun is estimated to turn into a dwarf star.
However, here are the facts about this vulnerability:
- It is not, itself, "wormable" as seen with previous SMB-related attacks this year.
- It is not "ransomware".
- There is currently no indication of active exploitation of it (we and other researchers are monitoring for this and will provide additional communications & guidance if we discover widespread SMBLoris probes or attacks).
- It is not any more destructive to a single system than what might happen if you accidentally turned off said system without shutting it down properly.
If you have mobile endpoints (i.e. laptops) that connect to diverse networks or SMB servers exposing port 445 to the internet, then those systems are vulnerable to this SMBLoris exploit and can easily be (temporarily) taken down by attackers.
Your internal systems are also vulnerable to this attack as most organizations do not implement granular controls over port 445 system-to-system communications. This means that an attacker who compromises a system within your network can launch SMBLoris attacks against any assets exposing port 445.
So, while the world is generally safe, there is room for reasoned caution.
What Can We Do?
If you own one or more of the ~4 million internet endpoints exposing this vulnerable protocol on port 445 (as noted in our 2017 Q2 Threat Report) then you should take steps to remove those systems from the internet (it's never a good idea to expose this service directly to the internet anyway).
If you have an active, mobile user base, then those devices should be configured to block access to port 445 when not on the corporate network. Even then, it's a good idea to have well-crafted host firewall rules to restrict access on this port.
You should also be monitoring both your operations logs/alerts and help desk tickets for unusual reports of random system crashes and reboots and handling them through your standard incident response processes.
What Might Attackers Do With SMBLoris?
Denial of service and distributed denial of service (DDoS) attacks are generally used to disable services for:
- financial gain (e.g. extortion), and
- distraction (i.e. keeping operations teams and incident responders busy to cover the tracks for other malicious behaviour)
The CVE Details site shows over 60,000 application/operating system DoS vulnerabilities spread across hundreds of vendor products. It is highly likely that you have many of these other DoS vulnerabilities present on both your internet-facing systems and intranet-systems. In other words, attackers have a plethora of targets to choose from when deciding to use application- or OS-level DoS attacks against an organization.
What makes SMBLoris a bit more insidious and a potential go-to vulnerability for attackers is that it makes it easy to perform nigh-guaranteed widespread DDoS attacks against homogeneous networks exposing port 445. So, while you should not be panicking, you should be working to understand your exposure, creating and deploying configurations to mitigate said exposure, and performing the monitoring outlined above.
If you do not have a threat exercise scenario for application-level DDoS attacks or do not have an incident response plan for such an attack, now would be a great time to work on that. You can use this run book by the Financial and Banking Information Infrastructure Committee (FBIIC) as a starting point or reference.
As stated earlier, we are on the lookout for adversarial activity surrounding SMBLoris, and will update the community if and when we have more information.
(Banner image by Jonas Eklundh)