18-year-old SMB vulnerability resurfaces, dozens of vendors affected

New methods expand the attack surface to applications and software beyond Windows

1 2 3 Page 3
Page 3 of 3

What software / applications are affected?

Widely Used Applications:

  • Adobe Reader
  • Apple QuickTime
  • Apple Software Update (iTunes)

Microsoft Applications:

  • Internet Explorer
  • Windows Media Player
  • Excel 2010
  • Microsoft Baseline Security Analyzer

Antivirus:

  • Symantec’s Norton Security Scan
  • AVG Free
  • BitDefender Free
  • Comodo Antivirus

Security Tools:

  • .NET Reflector
  • Maltego CE

Team Tools:

  • Box Sync
  • TeamViewer

Developer Tools:

  • Github for Windows
  • PyCharm
  • IntelliJ IDEA
  • PHP Storm
  • JDK 8u31’s installer

Mitigation:

"Any known vulnerable functions used by the software need to be replaced with functions that do not support cross protocol redirection...Access to SMB should be direct and filtered by the application. Disallowing any SMB requests outside of the local subnet, or at least requiring user verification, can limit the remote exploitation situations," wrote Brian Wallace, the researcher who was in charge of this particular SPEAR project, in a paper on the topic.

"TCP port 139 and 445 should be blocked at the outbound firewall. If it is absolutely required that users access external SMB servers, access needs to be restricted as much as possible."

The research paper also recommends the usage of strong passwords, which could help hinder cracking attempts. However, the advances in GPU-based password cracking has lowered the time needed to compute NTLMv2 hashes significantly. As such, the paper also recommends that administrators update their password policies over time to reflect the cost of hardware used to crack passwords.

"The oclHashcat website includes benchmarks for NetNTLMv2 using 8 x AMD R9 290X GPUs (each retails for about $300 to $700). It shows that with roughly $3000 worth of these GPUs, an attacker could make 6.496 billion guesses per second," Wallace wrote.

"That means during a simple brute-force attack, an attacker would be able to guess every 8 character password consisting of letters (upper and lower case) and numbers in less than 9.5 hours. Given that password renewal policies are often required once a quarter; this gives the attackers a large amount of time to use those passwords."

A copy of the full report from Cylance is available here.

"The RedirectToSMB attack is not an earth-shattering vulnerability, but it does demonstrate a novel approach to attacking passive client systems through a man-in-the-middle attack. On the surface, this attack doesn't look like anything new at first, but it significantly increases the exploitability of Windows laptop and tablet users that connect to open WiFi networks. In terms of mitigations, all of the normal advice for preventing outbound SMB authentication applies," Moore said.

Last year, Rapid7 worked with Microsoft and Palo Alto Networks to come up with specific guidance for protecting service accounts, Moore said that many of those would apply to this issue as well. A copy of their recommendations is available here.

Copyright © 2015 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
Subscribe today! Get the best in cybersecurity, delivered to your inbox.