Jump to content

Microsoft won't patch SMB flaw that only an idiot would expose


Recommended Posts

'SlowLoris' vuln could see a mouse of a machine take down an elephant of a server

Updated A Windows SMB vulnerability revealed late last week at DEF CON won't be patched because Microsoft says the service should be firewalled off from the internet anyway.


The 20-year-old Windows bug was discovered by RiskSense bods, who combed Redmond's file server code for flaws similar to the ones exploited by the NSA's leaked EternalBlue tool.


After the talk was given, infosec researcher Jenna Magius described the SMB cockup in detail on Twitter: it's essentially a remote denial-of-service. Bear in mind it only works from afar if the target machine has SMB exposed to the internet, and for that reason, Microsoft doesn't see it as demanding an immediate patch.


The security weakness, dubbed SMBLoris, is a memory-handling bug: it can be exploited to force a vulnerable server on the internet or local network to allocate 128KiB of non-paged physical memory, which can't be swapped out, for every connection to the service.


You do this by sending three bytes to the SMB service with the 17-bit NBSS length field set to the max. The kernel keeps the connection open for 30 seconds and then gives up. So for 30 seconds, 128KiB of memory is tied up for every connection attempted.


You then fire off a connection request for every TCP port possible – up to 65,535 – and thus potentially chew through up to 8GiB of non-paged RAM for half a minute. This will hamper the performance of the machine as the kernel is forced to scour the system for any free memory as more allocations arrive.


If a miscreant launches this attack on IPv4 and IPv6, that memory burden rises to 16GiB, and if an attack comes from just two IPs, they can fill 32GiB, and so on. Eventually, the target can't allocate memory, and needs a manual reboot if it becomes unresponsive. The name SMBLoris is a reference to the 2009 Slowloris bug.


In response to Microsoft saying it didn't intend to issue a security fix for the problem, Dillon said: “The reason they say it’s a moderate issue is because it does require opening many connections to the server, but you could do it all from a single machine, and a Raspberry Pi could take down the beefiest server”. ®

Updated to add

According to Microsoft's SMB supremo Ned Pyle, SMBLoris affects all versions of SMB – not v1 as first thought – because it all happens so early on in the connection. Best thing to do is firewall off ports 445 and 139 from the public, and rate limit access to the service locally if you're paranoid about internal attacks.


Article source


Link to comment
Share on other sites

  • Replies 7
  • Views 2k
  • Created
  • Last Reply

LOL Microsoft and there excuses not to fix leaks i never leave these ports open no way i dont even port forward using my vpn  never had too yet.

Link to comment
Share on other sites

Maybe, true, on the consumer's part, the service should be firewalled "anyway" as MS puts it. And the problem should also be fixed on their part, first and foremost. Maybe if they have done their job, as they should have, this would not have become an exploit in the first place. Way to go MS, blame your users, for your own mistakes.

Link to comment
Share on other sites

1 hour ago, Bausch said:

Way to go MS, blame your users, for your own mistakes.

They always do just like when they removed the start menu from windows 8.1 they blamed it on the users they said they collected telemetry and seen most everyone was pinning shortcuts too the task bar so they removed it and still they not figured out how too put it back right in over 4 years . It's just like them blacklisting hardware that's not there fault it's you're fault for not  buying new hardware or it's the vendors fault for not supporting   there flagship OS lol . And if you do buy new hardware and try too use a legacy OS it's still you're fault you're blacklisted because you should use there flagship OS witch is the only one supported with new hardware . :P  

Link to comment
Share on other sites

1 hour ago, brain_death said:

Only a dumbass has these ports open anyhow...

Petya ransomware utilized ports 137, 138, 139 and 445 and Wantacry utilized ports 445, 135, 138, 139 ...More conman for Windows server too have these ports open than home users with just Windows and once the virus gets through the ports it infects every PC on the network  with ransomware . Most 3rd party firewalls and Nat Router Firewalls block these ports anyway by default. :) 




Link to comment
Share on other sites

  • Administrator

I wonder if UPnP being enabled causes any risk for this particularly vulnerability. I know, I know, UPnP should not be enabled, but many routers have it enabled by default and I wonder if SMB uses it when required to do so.

Link to comment
Share on other sites

You know I get it that geeks know the ways of computers, but I take exception calling someone an idiot because they don't have a certain port closed.

The fact is many computer users just don't know any better or that its necessary to open or close a port or any other things that must be done to have a "safe"

computer. Over the years I have met many very smart people that just don't know anything about computer security, or for that matter even how to get the best

from their machine. I think back to the days of the VHS recorders that everyone had, but a simple thing like setting the correct time evaded them, that's why

the majority of VHS machine had 12:00 blinking forever. Now to call these people idiots is just not fair or correct, I am very comfortable with computers due to

the fact I used them for so many years at work, starting with DOS, 3.1 and so forth. I am the only one in my family that is comfortable with them, all the men

except me have very good mechanical abilities, from aircraft mechanics to building homes. Sadly I cant even hammer a nail but I know computers pretty good,

the thing is nobody knows everything but most know at least one thing very good. Think the next time before you call an unknown person an idiot and remember

when your car breaks or so many other things its necessary for you to take the product to some so called idiot because you can not fix it.;)


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...