Microsoft won't patch SMB flaw that only an idiot would expose

'SlowLoris' vuln could see a mouse of a machine take down an elephant of a server

Updated A Windows SMB vulnerability revealed late last week at DEF CON won't be patched because Microsoft says the service should be firewalled off from the internet anyway.

The 20-year-old bug is in at least Windows 2000 to Windows 10. It was discovered by RiskSense bods, who combed Redmond's file server code for flaws similar to the ones exploited by the NSA's leaked EternalBlue tool.

After the talk was given, RiskSense's Dylan Davis described the SMB cockup in detail on Twitter: it's essentially a remote denial-of-service. Bear in mind it only works from afar if the target machine has SMB exposed to the internet, and for that reason, Microsoft doesn't see it as demanding an immediate patch.

The security weakness, dubbed SMBLoris, is a memory-handling bug: it can be exploited to force a vulnerable server on the internet or local network to allocate 128KiB of non-paged physical memory, which can't be swapped out, for every connection to the service. You do this by sending three bytes to the SMB service with the 17-bit NBSS length field set to the max. The kernel keeps the connection open for 30 seconds and then gives up. So for 30 seconds, 128KiB of memory is tied up for every connection attempted.

You then fire off a connection request for every TCP port possible – up to 65,535 – and thus potentially chew through up to 8GiB of non-paged RAM for half a minute. This will hamper the performance of the machine as the kernel is forced to scour the system for any free memory as more allocations arrive.

If a miscreant launches this attack on IPv4 and IPv6, that memory burden rises to 16GiB, and if an attack comes from just two IPs, they can fill 32GiB, and so on. Eventually, the target can't allocate memory, and needs a manual reboot if it becomes unresponsive. The name SMBLoris is a reference to the 2009 Slowloris bug.

In response to Microsoft saying it didn't intend to issue a security fix for the problem, RiskSense's Sean Dillon said: “The reason they say it’s a moderate issue is because it does require opening many connections to the server, but you could do it all from a single machine, and a Raspberry Pi could take down the beefiest server”. ®

Updated to add

According to Microsoft's SMB supremo Ned Pyle, SMBLoris affects all versions of SMB – not v1 as first thought – because it all happens so early on in the connection. Best thing to do is firewall off ports 445 and 139 from the public, and rate limit access to the service locally if you're paranoid about internal attacks.

Also, Samba on Linux and possibly other operating systems, in its default configuration, is susceptible to SMBLoris-like attacks.


Biting the hand that feeds IT © 1998–2017