Kill it with fire: US-CERT urges admins to firewall off Windows SMB
Shadow Brokers may have loosed a zero-day so you're better safe than sorry
The US computer emergency readiness team is recommending organisations ditch old versions of the Windows SMB protocol and firewall off access to file servers – after a potential zero-day exploit was released by the Shadow Brokers hacking group.
The call from the US security clearing house does not name the Shadow Brokers as the cause of its warning, only that its advice follows public reporting of a potential Server Message Block (SMB) vulnerability.
Last year, the Shadow Brokers dumped online a cache of hacking tools from the NSA's Equation Group that attack vulnerabilities in products from major technology vendors. The exploits were touted in a staggeringly expensive online auction.
That auction, as expected, flopped. Last week, the Shadow Brokers dropped online a further cache of offensive tools for free as a parting gift: the crew is slipping off into retirement. The group's collection of Windows exploits remains for sale, however: that download includes what's claimed to be an exploit targeting a Windows SMB zero-day vulnerability. That SMB flaw remains unconfirmed thanks to the exploit's US$200,000-plus asking price. [250 BTC. 1 BTC = US$915 at the time of writing – ed.]
US-CERT says administrators should disable SMB version one and block all SMB traffic at network boundaries as a precaution.
"In response to public reporting of a potential Server Message Block vulnerability, US-CERT is providing known best practices related to SMB," it says in an advisory. "This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems."
The team recommends administrators:
- Disable SMB v1. US-CERT cautions users and administrators of potential issues that could be created by disabling SMB v1. Microsoft has been urging people to get off SMB v1 for ages.
- Block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.