Proof of Concept code for SMBv3 zero-day leads to Blue Screens, maybe worse

Topic

New Reply

Coming soon on InfoWorld
[See the full post at: Proof of Concept code for SMBv3 zero-day leads to Blue Screens, maybe worse]

2 users thanked author for this post.

ch100, WildBill

Reply | Quote

Replies

Thanks & Danke schoen to Gunter Born! He’s probably right that PC’s on WAN’s may be vunerable & not LAN’s or WLAN’s. I haven’t been bitten on public Wi-Fi… Yet.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

So what server is infected? Does it also affect Windows 7? Do you think this’ll be patched?

Reply | Quote

I’m certain it’ll be patched. I expect MS to issue a security alert any minute.

What servers? I don’t know. But the Proof of Concept code is straightforward, and available on Github. That means it’s probably already in script kiddie packages.

See https://twitter.com/dangoodin001/status/827557860687044608

Reply | Quote

Windows 7 does not use SMB3.
If you are not in a network using file shares, you would not be directly affected.
However, good practice require blocking access from the internet to ports 137, 138, 139 and 445 and most ISPs already provide this functionality by default. Many routers also enable this port blocking as basic firewall rule.
Also you should keep the system fully patched as it is not known if a previous patch mitigates the problem or if systems other than those already documented are affected.
Best effort is always better than inaction.

Reply | Quote

Thank you for clarifying ch100.

Reply | Quote

I wonder how many people realize that “connect to an infected server”, in the context of this report, doesn’t mean the kinds of things most folks do online.

SMB is the protocol Windows uses for file and printer sharing.

Unless I’m missing something that other people do that I never do (using OneDrive maybe?), these are not the kinds of connections I *ever* make with “online” servers. Instead, these are the connections enterprises use in their private networks (e.g., to see files on \\SERVER\SHARE). I do use this protocol inside my company network. But of course I have protections against my internal servers being compromised.

To put it succinctly, the “server” described that has to be compromised is not just any old web server that sends people web pages, but generally one which is inside a company or private network offering file and printer sharing.

To not be specific about this seems to spread some unwarranted Fear, Uncertainty, and Doubt.

https://en.wikipedia.org/wiki/Server_Message_Block

Please, someone enlighten me as to whether there’s some component to this I’m not thinking of (e.g., under the covers in OneDrive, Skype, or one of the cloud integrations in the newer versions of Windows?).

-Noel

2 users thanked author for this post.

212louis, ch100

Reply | Quote

I use SMB to connect to my NAS drive from my Mac. A NAS drive is actually a server.

Reply | Quote

A lot of people use an internal server for file sharing, but most use an “appliance”, which is a black box running a flavour of Linux hidden from the user by a fancy GUI.
We don’t know at this stage if Linux is affected or which NAS appliances are running SMB3.

Anyone remember Blaster?
It looks like this is the same style of 0-day attack on port 445.

Reply | Quote

Correct. Somebody would have to plant the bad code on a server that your computer attaches to directly. That’s why I included Born’s explanation.

Reply | Quote

PKCano wrote:

I use SMB to connect to my NAS drive from my Mac. A NAS drive is actually a server.

Right. And in your case your NAS drive would have to be compromised in order for your Windows system(s) to be affected by this issue. As ch100 points out, we’re not being told how – or if – that could be done.

This isn’t at all the same as connecting to any old web server with a web browser.

I’m concerned that people – who might never have had enterprise computing experience or who simply don’t understand all the complexities of networking – could read more into it than there is and look in the wrong directions or just become unnecessarily upset. Computers don’t just “connect to servers” in one way. This is a case where details matter.

Yes, I suppose you could say that any security threat that keeps online safety in the minds of the masses could be a Good Thing…

But the thing is, incompletely stated/understood threat reports – especially those described as “zero day” – can cause people to make rash decisions. Always think about things first, and seek knowledge before acting. It’s kind of a computer version of “measure twice, cut once”.

-Noel

2 users thanked author for this post.

AlanH, Elly

Reply | Quote

Did you hear the one about MS using this to push upgrade to Win10 and Edge, even though it does not require a browser to attack and Win10 is also prone to it?

No shame.

Reply | Quote

Naw, not a chance. Sounds like MS was warned, didn’t react quickly enough, and got snowbagged. See the Ars Technica report.

Reply | Quote

woody wrote:

Naw, not a chance. Sounds like MS was warned, didn’t react quickly enough, and got snowbagged. See the Ars Technica report.

Typical for M$

Reply | Quote

Not Woody. He wouldn’t cry WOLF if there was a cute golden lab puppy at the door. I would follow Woody through the eternal flames of H*** — well, maybe JUST UP TO the flames…

1 user thanked author for this post.

woody

Reply | Quote

ANOTHER UPDATE: Last night, Microsoft Program Manager Ned Pyle tweeted “Yes, fix is coming. I’m not allowed to say more, because Microsoft.”

We can only hope they’re not rushing it out. Much as a quick response seems necessary, it’s still important to get it right.

• They need to completely fix the problem.
• They need to not break anything new.
• They need to maintain system performance.

That’s not always easy to accomplish. We all imagine in our best hopes that it could be a simple matter of adding a line of code to compare a length field – something that requires almost no extra compute time – and voila, bug fixed. But the reality is, depending on the bug, a part of the system may need to be re-designed.

I only bring this up at all because Microsoft has been changing the way they deliver their work to us. Today – presumably in the name of lowering costs – we’re getting software that’s been through fewer and fewer reviews and tests. From the engineers’ desks to ours. Some Windows 10 releases were built literally only a few days before becoming available to the public. There’s clearly not the professional testing being done inside Microsoft that there once was. I can’t help but think this new philosophy of quick and continuous software delivery might also influence changes to the older systems we all rely on, and as a career software engineer that worries me.

In today’s fast moving world we need to trust patches to keep us safe, but we also need to be careful not to allow Microsoft’s questionable policies to break the systems we rely upon. Woody’s MS-DEFCON system is likely more meaningful now than ever before.

-Noel

1 user thanked author for this post.

woody

Reply | Quote

+1

Reply | Quote

Can anyone tell me what the actual STOP code is on the BSOD, not just the triggered file (mrxsmb20.sys)? I’d love to have an alert setup to let me know if any of my systems start generating this crash, just need to know exactly how it presents itself…

Reply | Quote

Even if it didn’t happen, it’s pretty clear that people expect it to happen.

That’s the downside of acting like a predator. People lose trust. Better get used to it – that trust is not coming back soon.

Good morning – there IS a downside to using up a company’s reputation in the name of Marketing.

-Noel

Reply | Quote