SMBLoris

Microsoft has declined to patch a vulnerability in the Server Message Block (SMB) file sharing protocol that affects all versions of the Windows operating system released in the past two decades, since Windows 2000.

The vulnerability is named SMBLoris and was discovered by two RiskSense security researchers — Sean Dillon (@zerosum0x0) and Jenna Magius (@jennamagius) — while exploring the NSA's EternalBlue SMB exploit back in June.

SMBLoris affects all three SMB protocol versions + Samba

The two discovered a flaw in the SMB protocol and affects all three versions — SMBv1, SMBv2, and SMBv3 — but also the Samba Linux server that provides SMB interoperability with Linux systems.

The vulnerability allows an attacker to open a connection to a remote computer via the SMB protocol and instruct that computer to allocate RAM to handle the connection. The attacker doesn't have to be authenticated.

The SMBLoris flaw is dangerous because it allows an attacker to open tens of thousands of connections to the same machine, exhausting its RAM and potentially crashing the target's computer.

The vulnerability does not allow remote code execution, which means an attacker can't take over vulnerable computers, but only crash them, at best.

SMBLoris is the SMB equivalent of Slowloris attacks

SMBLoris takes its name from the Slowloris attack on web servers. In 2009, security researchers discovered that an attacker could open a large number of connections to the same web server, exhausting bandwidth, sockets, or memory, and carry out one-man DDoS attacks. SMBLoris is the same thing but done via SMB instead of HTTP.

Disabling the SMB protocol won't help. According to the two RiskSense researchers, the only way to prevent an SMBLoris attack is if a computer running an SMB service is placed behind a firewall that blocks incoming SMB connections, or limits their number to a smaller value.

On Linux, admins can set "max smbd processes = 1000" in the Samba smb.conf config file to prevent attackers from opening a large number of SMB connections to the Samba server.

Proof-of-concept code available online

Researchers contacted Microsoft in June, but after separate reviews from two different internal security teams, Microsoft said it doesn't view this issue as a security bug. This answer means the company declined to fix the bug in an urgent security update but agreed that it's a bug and it will fix it in the upcoming future in a regular bugfix update at a time of its choosing.

Microsoft's response was an issue with the two researchers, who said that an attacker with "rudimentary network programming knowledge" could exploit SMBLoris and crash critical systems with port 445 exposed to the Internet.

Dillon and Magius also presented their findings at the DEF CON security conference that took place in Las Vegas last week. Security researcher Hector Martin released proof-of-concept code [1, 2] for exploiting SMBLoris. The YouTube video below shows a demo of SMBLoris in action.

Image credits: Amelia Wattenberger, Bleeping Computer