Microsoft was notified on June 2 this year of a vulnerability in the company's implementations of all versions of the Server Message Block SMB. Vulnerability should have been around for more than 20 years and affects all newer versions of Windows, but also the Samba software, which provides Linux machines with support for SMB. SMB is used, among other things, to share file areas and printers across networks, preferably local area networks.
Microsoft was notified on June 2 this year of a vulnerability in the company's implementations of all versions of the Server Message Block SMB. Vulnerability should have been around for more than 20 years and affects all newer versions of Windows, but also the Samba software, which provides Linux machines with support for SMB. SMB is used, among other things, to share file areas and printers across networks, preferably local area networks.
Vulnerability, called SMBLoris, allows performing DoS attacks against computers with SMB support without the attacker having to be an authenticated user.
Same port as WannaCry
In any event, the attack can be performed via port 445, the same port as the WannaCry malware. It turned out that there are many who have this network port exposed to the internet. In others, the attacker must first access the victim's local area network.
According to security researchers who have discovered vulnerability, Sean Dillon and Jenna Magius of RiskSense, only basic networking skills are required to carry out the attack.
Enormously resource-intensive
Vulnerability allows an attacker to send a large amount of requests requiring little of the client machine, but that leads to the allocation of large amounts of memory on the target machine, as well as what is referred to as huge amounts of wasted CPU cycles.
This may cause the target machine to be unable to perform its usual tasks, such as server services such as email, database and web. At worst, the attack can cause the system to crash.
In the video below, where the attack is demonstrated, the memory usage of the attacked machine is greatly increased. At the same time, the machine is no longer able to respond to ping queries.
More details about vulnerability can be found on this page.
Rejected by Microsoft
According to security researchers, two different teams at Microsoft have assessed the vulnerability. However, both have come to the conclusion that it is not serious enough that it will be removed through a security update. Instead, the company has stated that the issue will be addressed in a future edition of Windows.
Vulnerability should be named after Slowloris, a similar type of DoS attack that could be targeted to several different types of web servers. This was first demonstrated in 2009.
Possible measures
Administrators of computers with Samba can prevent this kind of attack by adding the following line to the smb.conf file.
Max smbd processes = 1000
It will limit how many processes the smb daemon will run at once.
Windows computer administrators can prevent attacks by blocking the SMB service using a firewall, either on the system itself or externally. You may limit how many SMB connections a single IP address may be open at any given time.
Security scientists should have demonstrated the attack to the public during the Def Con conference, which was held in Las Vegas in late July.
According to Bleeping Computer, security researcher Hector Martin has released a conceptual evidence of an assault tool that can exploit SMBLoris. The code is available here and here. It will enable a fully updated Windows 10 Pro machine with 8 gigabytes of RAM to pin in less than 10 seconds.