This week, security researchers at Cylance disclosed a vulnerability in Server Message Block (SMB) that allows attackers to harvest user credentials from any Windows computer, server, or tablet, including those running the Windows 10 Technology Preview.
The attack is relatively trivial to execute, requiring the user to input a malicious "file://" URL, click a similarly malicious link, or use any program that could automatically attempt to load such a link, such as generating a thumbnail for a linked image on a maliciously-coded page. Accessing this link leads to an authentication attempt by Windows. When combined with a man-in-the-middle attack, this exploit can be used to capture user credentials.
According to Brian Wallace at Cylance:
While conducting previous research on network protocols, we had experimented with redirecting ordinary HTTP requests to web servers to identify new attacks. So we were curious to see what threats SMB posed when combined with redirects. We created an HTTP server in Python that answered every request with a simple HTTP 302 status code to redirect clients to a file:// URL, and using that we were able to confirm that an http:// URL could lead to an authentication attempt from the OS.
How this affects you
As an end user, this probably will not affect you that much. However, blocking outbound traffic on TCP 139 and 445 in your firewall is still advisable.
The real risk is for users on a corporate intranet. If user credentials can be obtained and passwords cracked, it would allow the attacker access to shared files. The potential for abuse with SMB is very high, as malware that exploits SMB connections was used in the widely-publicized attack on Sony Pictures Entertainment in December 2014.
The programs affected by this exploit
Because multiple Windows API functions are vulnerable to this exploit, a wide variety of programs —particularly those that have a self-updating mechanism or usage reporting utility — are susceptible to this exploit. Cylance reports that Microsoft programs vulnerable to this exploit are Windows Media Player, Excel 2010, and Microsoft Baseline Security Analyzer. Programs from third-party vendors that use the vulnerable Windows API calls are Adobe Reader, Apple Software Update, Box Sync, Github for Windows, AVG Free, Comodo Antivirus, BitDefender Free, and Symantec Norton Security Scan.
As a man-in-the-middle attack, exploiting this vulnerability through browser injection or a malicious router or DNS server is possible, with Cylance suggesting that URL previews in some programs, as well as maliciously-designed documents can be used for the exploit as well. Importantly, this vulnerability does not require conscious participation of the end-user, as things such as rogue ad servers could be used to perform the exploit to harvest user credentials.
When a fix will be available
If you do not have a need for SMB functionality, your best bet is to block outbound traffic on TCP 139 and 445 in your firewall. If you do and are waiting on an official fix from Microsoft, prepare to be disappointed.
This issue is structurally identical to a vulnerability disclosed 18 years ago in Windows 95 and NT 4.0 by security researcher Aaron Spangler. As such, a Microsoft representative insists that this issue is not new, and seemingly misunderstand the nature and details of the vulnerability, based on this statement in a CNET article:
"We don't agree with Cylance's claims of a new attack type. Cybercriminals continue to be engaged in a number of nefarious tactics... several factors would need to come together for this type of cyberattack to work, such as success in luring a person to enter information into a fake website. We encourage people to avoid opening links in emails from senders that they don't recognize or visiting unsecure sites."
To reiterate: according to the white paper by Cylance, it does not actually require the user to enter any information.
Are these credentials encrypted?
Fortunately, the answer to that question is yes — just not particularly well. After the initial report by Spangler in 1997, the method of encryption in SMB was changed to an algorithm known as NetNTLMv2. The benefit of this is that it was secure for 1998, and is not weak to rainbow tables, as it was generated with two salts.
Cylance points to oclHashcat, a free GPU-accelerated password-cracking tool. For the algorithm used, an instance using eight AMD R9 290X GPUs, a brute force attack would take less than 9.5 hours to guess "every eight character password consisting of letters (upper and lower case) and numbers," but notes that this is a last resort method.
What's your view?
Is Microsoft's reaction to and handling of an 18-year-old vulnerability troubling? How does your organization implement sharing access to files — are you still relying on SMB, or has your organization migrated to cloud-based replacements such as Google Drive for Business, or a CMIS handler such as CmisSync? Tell us about your organization's ECM strategy in the comments.
- Windows security flaw could lead to login theft, researchers claim (ZDNet)
- Windows Hello brings biometric security to Windows 10
- Data breaches may cost less than the security to prevent them
- Download: Job description — Identity access management specialist (Tech Pro Research)
Note: TechRepublic, Tech Pro Research, CNET, and ZDNet are CBS Interactive properties.
James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.