Jump to content

This SMBv1 Vulnerability Business ...

TrevMUN

By TrevMUN
in Windows XP

 Share

Recommended Posts

TrevMUN

TrevMUN

Posted
Posted

Hey folks,

I found out today that Microsoft announced a vulnerability that affects Microsoft Server Message Block 1.0 (SMBv1) and will not patch it for any OS older than Vista.

I've not been aware of SMB until today, and I've been trying to find out more about it to understand how this vulnerability affects XP users. Does this remote code execution vulnerability affect everyone? Or is it only a problem for servers? Microsoft offers ways to enable and disable various versions of SMB, but there appears to be no such information for XP users; I figured even if the XP family only uses SMBv1, there'd at least be a guide on how to disable it if it's unnecessary. If SMB is more integral to XP than that, though, I wonder if we're facing a real problem here.

Link to comment
Share on other sites

TrevMUN

TrevMUN

Posted
  • Author
Posted

Interesting. I suppose the reason why people, Technet included, don't mention POSReady2009 got the patch is part of the FUD surrounding Microsoft EOL'ing XP.

Though, what should XP64 users do about this?

Link to comment
Share on other sites
TrevMUN

TrevMUN

Posted
  • Author
Posted (edited)
5 hours ago, dencorso said:

Cry rivers? :dubbio:

face_1290513978_by_kazama94_thumb.png

I would have expected a snarky, low-hanging fruit response like yours if I had posed my question on Technet or any other forum. Not here.

If there's nothing that can be done about it, there's nothing that can be done about it, but I was interested in finding out the potential risks and solutions involved with this vulnerability.

EDIT: So I've been talking to some other people I know who are more knowledgeable on these subjects than I am. I showed them the Technet article, and what they've had to say was rather informative. For posterity, if anyone else stumbles on this thread and had similar concerns, I'm relaying what they told me.

From reading Technet's article, the people I've spoken to are not even sure whether XP has the SMBv1 vulnerability. "Any code execution vulnerability would have to be in the implementation [of the data exchange protocol]," one of them told me, so if this vulnerability happened because of a change in the way it's implemented in Vista or later, then XP and older OSes wouldn't even be affected. That's not a guarantee, of course, and this discussion happened before @XPPOS2009 replied to this thread showing that a patch for 2009POSReady does indeed exist.

From what I've been told, non-server versions of Windows have at least two ports from which they communicate via SMP. However, vulnerable or not, they think a decent router or similar protection would keep this vulnerability from being exploited. "Same reason most XP boxes aren't owned outright when they're on the internet," in the words of one. "The call would have to be coming from inside the house."

So I guess this is only really an issue for networks which have SMBv1-using machines. Not necessarily a problem for home users or hobbyists.

Edited by TrevMUN
Link to comment
Share on other sites
Tripredacus

Tripredacus

Posted
Posted

A lot of updates are like this, they do not do a real good job of explaining the things they correct. They seem to rely on people needing to know what they are doing, or in the usual case, install it if you don't know. When I first read this update, it sticks out to me (from my own experience) with SMB that you are then dealing with an in-network vulnerability. So, say some other system on your LAN sends a request to the unpatched system, then it could exploit whatever. BUT I do not know if you could fool Windows into responding to an SMB request through localhost, so then no other computers on the local network be needed.

Update catalog only shows this for Vista, 2008 and POSReady2009. That Embedded variation, not being that different from XP (it installs like Vista) then the "cry rivers" response is because there is no way to update XP x64... Or Server 2003 which would be more of a concern. SMB is available in SP1 at least.

1
Link to comment
Share on other sites
Mcinwwl

Mcinwwl

Posted
Posted

This article (polish only, sorry):

http://www.fixitpc.pl/topic/49-zabezpieczenia-robaczywe-ataki-poslaniec/

Describes SMB and corresponding ports as a threat to the 2000/XP/2003. Although it is based on old data (see last post update) it describes things somehow similar to the ones corresponding to the bug patched by M$ this week, i mean RCE using SMB. Post do not say, which SMB it is, but I guess that v1.0 is what will appear in older systems ;)

If you are paranoid and do not share files, folders and printers over network, simply block the corresponding ports. If you are just cautious, just be sure to hide your LAN behind router and follow most common good practices (do not open shady sites and files etc.) and you should be fine. You are not worth being APT target ;)

1
Link to comment
Share on other sites
Sfor

Sfor

Posted
Posted

SMB (NetBios) does work without TCP/IP, as well. The problem is the Windows XP does not install it by default. So it is necesary to install the files by hand. So, it is possible to use SMB without TCP. The plain NetBios will not go trough the internet, as it is not possible to be be routed. That's why, back in the Windows 98 days I used to link the Microsoft Networking with just the NetBios leaving TCP/IP unlinked.

Unluckily, Linux systems are unable to use SMB without TCP/IP. So, no connection to Linux SMB shares with just the NetBios. Still, having both NetBios and NetBios over TCP/IP linked to Microsoft Networking is a good thing to have, when DHCP server is down.

Also I was not interested in NetBios without TCP/IP on newer than XP systems, so I do not know if Vista and 7 can use plain old NetBios without using TCP/IP. Im working with mixed Linux and Windows networks, so I lost my interest with windows 9x style NetBios years ago.

1
Link to comment
Share on other sites
  • 1 month later...
TrevMUN

TrevMUN

Posted
  • Author
Posted (edited)

Recently found some news that appears to be directly related to this vulnerability.

"The Ransomware Meltdown Experts Warned About Is Here"

Quote

One reason WannaCry has proven so vicious? It seems to leverage a Windows vulnerability known as EternalBlue that allegedly originated with the NSA. The exploit was dumped into the wild last month in a trove of alleged NSA tools by the Shadow Brokers hacking group. Microsoft released a patch for the exploit, known as MS17-010, in March, but clearly many organizations haven’t caught up.

The exploit is, in fact, the very same SMBv1 vulnerability I discussed in the OP.

EDIT: McAfee has a dossier on how WannaCry works and what to expect if you get infected.

Quote

Files are encrypted with the .wnry, .wcry, .wncry, and .wncryt extension. End users see a screen with a ransom message.

Encryption seen on local host and open SMB shares. IMPORTANT: Customers should immediately install the Critical Microsoft Patch MS17-010, to prevent SMB shares from becoming encrypted

Edited by TrevMUN
Found direct information on WannaCry.
Link to comment
Share on other sites
Sfor

Sfor

Posted
Posted

According to my research the SMB vulnerability is related to remote procedure call over SMB. The Microsoft patch should solve the problem, but I wonder if there is a way to disable RPC over SMB, without losing the whole SMB.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...