Windows SMB Security Flaw Detailed
A new Windows security issue was revealed by security firm Cylance that could lead to a hijack of user credentials.
The flaw, which the Irvine, Calif.-based security company calls "Redirect to SMB," could lead to a man-in-the-middle attack by intercepting communications between a Windows-based machine and a legitimate Web server. Researchers at Cylance said the flaw is very similar to another Windows security issue found in the late 1990s.
"The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word 'file' (such as file://184.108.40.206/) to Internet Explorer would cause the operating system to attempt to authenticate with a SMB server at the IP address 220.127.116.11," wrote the company in a blog post."It's a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network."
Attackers would have to gain access by having a targeted user click on a malicious e-mail link or harmful Web ad that connects a system to a server controlled by the attackers. The company said the flaw can be found in every version of Windows, including the previews of Windows 10, and could be executed with the use of one of the 31 vulnerable software packages discovered, which includes Adobe Reader, Apple QuickTime, Internet Explorer and Windows Media Player, to name a few.
While the team has been able to provide proof of concept for the flaw, it said that there have been no known attacks using the Redirect to SMB flaw. It suggests that outbound traffic from TCP 139 and TCP 445 be blocked. Cylance also called out Microsoft for not patching the SMB server issue when it was first discovered.
"Microsoft did not resolve the issue reported by Aaron Spangler in 1997," wrote Cylance. "We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack."
Microsoft responded in a statement saying the SMB flaw was not as serious as Cylance claims due to the difficulty attackers would have when attempting to take advantage of the vulnerability. "Several factors would need to converge for a 'man-in-the-middle' cyberattack to occur. Our guidance was updated in a Security Research and Defense blog in 2009, to help address potential threats of this nature," said Microsoft in a statement to Reuters. "There are also features in Windows, such as Extended Protection for Authentication, which enhances existing defenses for handling network connection credentials."