Tag Archives: SMB Protocol

An endless stream of SMB vulnerabilities …

11 June 2020

SMBleed, SMBLost, and SMBGhost/CoronaBlue are the vulnerabilities detected in the Microsoft SMB V3 protocol this year.

Critical SMB Vulnerabilities

Critical SMB Protocol Vulnerabilities

SMBleed/SMBGhost can be used to compromise a company network by attacking a system in the DMZ with port 445 open to the internet. Fortunately, SMBleed and SMBGhost impact only the latest Windows 10 versions. The number of Windows 10 systems directly accessible from the internet is still small.

Vulnerable Windows 10 1909 Pro Systems

Vulnerable Windows 10 1909 Pro Systems

Like EternalBlue, SMBLost impacts all Windows versions but is less critical because authentication (PR:L) is required.

The good news is that patches were available at the time the vulnerabilities were published. But it takes some weeks to implement them. During this time companies remain vulnerable against cyber-attacks.

Vulnerability management / priority patching is the standard approach to this kind of vulnerabilities. IT staff is kept busy, IT security solution and service providers make a good bargain, but the company’s resilience against cyber-attacks stays low. Companies can only hope that also the next SMB vulnerability is disclosed after a patch is available.

From an entrepreneurial point of view the obvious solution is to remove such systems from the internet. A risk assessment is imperative to evaluate the potential loss of sales and the costs of recovering from a cyber-attack. If the recovery costs exceed the potential loss of sales the system should be removed. This will slightly reduce IT costs but increase the resilience against such kind of cyber-attacks.

It is high time to evaluate IT[-security solutions] from an entrepreneurial point of view, in terms of Loss of Sales and Loss of EBIT.

Have a great weekend.

Why is the industry such vulnerable against WannaCry and NotPetya style attacks? Part I

9 July 2017

“Germany’s BSI federal cyber agency said on Friday that the threat posed to German firms by recent cyber attacks launched via a Ukrainian auditing software was greater than expected, and some German firms had seen production halted for over a week.” The report “Germany says cyber threat greater than expected, more firms affected” published in the Reuters Technology News on 7 July 2017 is worth reading.

But the big question is: Why is the industry such vulnerable against WannaCry and NotPetya style attacks?

In my opinion, the main reasons for this are

  • the aging IT infrastructure, and
  • the built-in features of the Windows operating system.

Aging IT infrastructure

SMB Version Introduced with Version Year of Release
V1.0 Windows 2000 2000
Windows XP / 2003 Server 2001 / 2003
V2.0 Windows Vista / 2008 Server 2007 / 2008
Windows 7 / 2008 Server R2 2009
V3.0 Windows 8 / 2012 Server 2012
Windows 10 / 2016 Server 2015 / 2016

Table 1: SMB Versions

The source of today’s problems, SMB V1.0, was introduced with Windows 2000. With the end of the extended support for Windows XP on 8 April 2014, and Windows 2003 Server on 14 July 2015, Windows XP/2003 Server became a big security issue.

Nevertheless, systems with XP or Windows 2003 Server are still operated in data centers and industrial networks. Since these systems must exchange data with other Windows-based systems, SMB V1.0 cannot be just switched off. Even Windows systems which support SMB V2.0 or higher must allow SMB V1.0 for data exchange with older versions.

The big question is: Why takes it so long to shut down Windows XP/2003 Server? The answer is easy: Software and hardware manufacturers have not sufficiently cared about the software life cycle, at least in the past. Let me illustrate this with an example.

A package unit in Healthcare industry is a large machine with lots of inbuilt computers. Since package units are very expensive, they are operated for many years and extensively changed to support new products. With this, a package unit delivered in 2008 with embedded Windows XP control units may still be in use 24 hours a day in 2017.

The hardware of the computers is designed to control a high-speed packaging process. To ensure sustained high operational quality the manufacturer often allows neither the installation of anti-malware software nor service packs for the OS, not to mention the upgrade to newer versions of the Windows OS.

Since the MES (Manufacturing Execution System) copies files to and from the packaging unit through files shares on the embedded Windows XP control stations, the MES must communicate through the SMB V1.0 protocol. The same is true for computers used in remote maintenance. With this, a single Windows XP machine reduces the security level of an entire network.

The big challenge is to design maintenance-friendly industrial computer systems: An exchange of hardware and software components, which are near End-of-Life or which have reached technical limits, must be easily possible. This requires a change in the design of software in industry. In addition, hardware should be dimensioned such that basic security features like anti-malware protection could be operated.

Manufacturers were often not aware of the software lifecycle and its impact on cyber security and integrity of product and production in the past. A change is desperately needed, in particular with regards to the increased use of IIoT devices.

Have a great week.