Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Microsoft Security Windows

Microsoft Won't Patch 20-Yr-Old SMBv1 Vulnerability (You Should Just Turn the Service Off) (onmsft.com) 131

An anonymous reader shares a news post: Following the recent WannaCry and Petya ransomware attacks, Microsoft recommended all Windows 10 users to remove the unused but vulnerable SMBv1 file sharing protocol from their PCs. This is because both variants of the ransomware actually used the same SMBv1 exploit to replicate through network systems, even though it seems that Petya mostly affected Windows PCs in Ukraine. Anyway, if you haven't turned off the protocol on the PC already, you really should: Not only because new WannaCry/Petya variants could once again use the same vulnerability again to encrypt your files, but because another 20-year-old flaw has just been unveiled during the recent DEF CON hacker conference. The SMB security flaw called "SMBLoris" was discovered by security researchers at RiskSense, who explained that it can lead to DoS attacks affecting every version of the SMB protocol and all versions of Windows since Windows 2000. More importantly, a Raspberry Pi and just 20 lines of Python code are enough to put a Windows server to its knees.
This discussion has been archived. No new comments can be posted.

Microsoft Won't Patch 20-Yr-Old SMBv1 Vulnerability (You Should Just Turn the Service Off)

Comments Filter:
  • by Anonymous Coward on Monday July 31, 2017 @03:08PM (#54915701)

    Why doesn't Microsoft patch the OS so that SMB1 is disabled entirely? I mean MS already shoves all sorts of crap down your throat anyways, why can't that unshove shit?

  • by GerbilSoft ( 761537 ) on Monday July 31, 2017 @03:09PM (#54915703)
    Most of HP's multi-function printers with Scan To Network only support SMB1. When will they issue a firmware update that adds support for SMB2?
    • Comment removed based on user account deletion
    • It's not just HP. It's a bunch of equipment-- some of it not even that old.

      Oh well. You'll have to buy a new one.

    • by OhPlz ( 168413 ) on Monday July 31, 2017 @03:43PM (#54915963)

      This is why you don't buy hardware from HP.

    • I have backup software that only works with SMB1.
      Game over.

      • by Wolfrider ( 856 )

        > I have backup software that only works with SMB1.

        --Past time to change backup software. If you need it to work with XP, current AOMEI and Acronis circa 9.1 should do the job. If you have more specific requirements, you owe it to your own personal security to look around for something else to replace software that is obviously outdated and insecure.

        • It's Acronis. Acronis vmProtect / Acronis Backup for VMware (they changed the name). The new version (which we don't have a license for) is called something else.

          I found out that Acronis requires SMB1 by disabling SMB1 and then having all hell break lose with the backups until I reenabled SMB1 on that server.

    • by AmiMoJo ( 196126 ) on Monday July 31, 2017 @03:48PM (#54915993) Homepage Journal

      Also, thanks to TFA for providing instructions on how to disable SMB1.

      Also why the hell does Windows have Super Mario Brothers 1 and 2 built in?!?

    • What amazes me is you can buy page-wide business printers right now that still have the vulnerability.
    • by tlhIngan ( 30335 )

      Most of HP's multi-function printers with Scan To Network only support SMB1. When will they issue a firmware update that adds support for SMB2?

      Use "Scan to email" instead. Scan to Network just seemed to be a waste of time, filling a folder with scan_**** files as people scanned them and left them there instead of deleting it. Scan to email is similar, but it just emails you the PDFs

      • by Strider- ( 39683 )

        On the setup I used, you'd pick your username, and your scans would be dropped into a folder in your home directory. Easy peasy.

  • You shouldn't use outdated standards. I thought this was already decided. Let me go update my router so that it'll fix a bug in WEP. That'll make it secure.
  • Like Robert Graham describes in http://blog.erratasec.com/2017... [erratasec.com], it's a type of attack that can be perpetrated against any service on the internet.

    Solutions:
    - Build a proxy service (per the article) that parses input before passing it to $SERVICE.
    - Do not put it on the internet (i.e. firewall).

    Is SMB open by default in Windows Firewall anyway? If anything, pooh-pooh Redmond for that. I know, I know, millions of affected hosts.
    • Build a proxy service (per the article) that parses input before passing it to $SERVICE.

      Sounds like a job for a Firewall/UTM to handle for you. Of course those don't usually protect much from internal traffic.

      • I agree, an intelligent firewall or IPS should be able to handle this sort of attack. Reductive and higher level, HAProxy (etc.) could handle this. Perhaps I'm naive on internal traffic element, but if you protect the gateways into your system I'd monitor that traffic at most.
  • by A10Mechanic ( 1056868 ) on Monday July 31, 2017 @03:43PM (#54915967)
  • Because SMBv2 on android is apparently still difficult. With ES File Explorer, you need to install some crappy game to get SMBv2 support and it's spotty at best. Not everyone likes to run a streaming server (that actually have client-like, full screen interfaces), just have a share or two and access it via SMB from all kinds of devices. Maybe there'll be a Windows port of SAMBA to use a non-vulnerable version of SMBv1.
  • The trouble is that lots of software still requires it. Probably why MS don't turn it off via an update.

    • by suutar ( 1860506 )

      They're planning to turn it off in Windows 10 Fall Creators Update according to TFA. I guess they've had enough of it.

      • They're planning to turn it off in Windows 10 Fall Creators Update according to TFA. I guess they've had enough of it.

        Why I paid the extra for Pro. This disabling of gpedit.msc (group editor) has been planned for the normal Windows 10 user since it's first release.

  • Remove it just to see it reappear after the next windows update.
    • Remove it just to see it reappear after the next windows update.

      So much support in such a small space. After an update I run %temp%, if I'm not taken to c:\temp I have to assume everything else has been re-rolled as well.

  • By "the service" do you mean SMB? The threat is descirbed as affecting all versions of SMB, but nearly all of the tech writers describing the bug are suggesting turning off SMBv1. Is no one actually paying attention to what the authors are saying, or am I missing something?

    • by E-Rock ( 84950 )

      Can you post where SMBLoris works on SBMv2 or v3? I haven't seen that, but the reporting has been pretty vague. Still you should remove (not just disable) SMBv1 where you can and block all inbound SMB traffic except where needed.

      • by MSG ( 12810 )

        https://threatpost.com/windows... [threatpost.com]

        "The vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000."

      • by MSG ( 12810 )

        ...and also:

        https://www.theregister.co.uk/... [theregister.co.uk]

        "According to Microsoft's SMB supremo Ned Pyle, SMBLoris affects all versions of SMB â" not v1 as first thought"

        Though it's not clear who "first thought" that. The authors were pretty clear that "it can lead to DoS attacks affecting every version of the SMB protocol." That's quoted from the slashdot summary, which is what makes it so very odd that the editors or the submitter spent most of the text of the summary talking about disabling SMBv1, which is in

        • by E-Rock ( 84950 )

          Thanks, I hope we get a patch for SMBv2/3 even if they declare SMBv1 dead.

        • by Shimbo ( 100005 )

          It's as if "disable SMBv1" has simply become a knee-jerk reaction to SMB bugs, and people are no longer listening to the details of new attacks.

          “The case offers no serious security implications and we do not plan to address it with a security update,” a Microsoft spokesperson told Threatpost. “For enterprise customers who may be concerned, we recommend they consider blocking access from the internet to SMBv1.”

          Looks like Microsoft didn't get their story straight at first.

  • Won't this leave all Windows machines vulnerable to any other exploit that would gain access to the device, potentially turn it on again, and allow the ransomware to do its damage?

    It would be better to remove SMB1 support entirely, or patch it if that's too difficult for MS.

  • by aaarrrgggh ( 9205 ) on Monday July 31, 2017 @05:32PM (#54916767)

    OS X still has such miserable SMB client we are stuck with SMB1/CIFS to maintain some semblance of reliability and speed.

    • Actually, after breaking down and trying to get the thing to work it looks like it might just have terrible default values for caching and asynchronous transfer...

  • There is a switch and service to disable User Experience (not send into to MS). This does nothing, one must disable them in the Task Options.

    No remote access is the same way

    Autoruns https://docs.microsoft.com/en-... [microsoft.com] allows you a one click to stop method. BUT could take many areas the same programs is turned off - I have always disabled "Windows Mail" I've 0 use for it. It must take some 20 disables - there obvious.

    SMB is a one stop area.

You are always doing something marginal when the boss drops by your desk.

Working...