Back in May, the widespread WannaCry ransomware attacks crippled more than 200,000 companies across 150 countries worldwide. The campaign targeted private companies and public organizations and it has actually endangered the lives of people by shutting down the computer systems of key services.
In WannaCry’s aftermath, lessons were learned, emergency patches were deployed, and the current state of worldwide internet security was reviewed.
The exploit used to spread the malware was called EternalBlue, a Windows SMB flaw that is part of the NSA hacking toolkit leaked by a group called Shadow Brokers in April. Note: SMB is Windows’ file-sharing protocol.
Since the flaw affected older unsupported Windows machines that millions of users apparently still use, Microsoft was prompted to do the unusual move of pushing out emergency patches for outdated systems like Windows XP and Vista and even bundling them with its regular monthly updates. This means that the EternalBlue SMB flaw, addressed by MS17-010, is hopefully, now a thing of the past.
But is it? During the DEF CON conference last week, security researchers claim that while they were investigating the EternalBlue flaw, they discovered a 20-year-old Windows SMB bug that exists in virtually all Windows machines, from Windows 2000 to Windows 10. They said it is a critical security issue since the bug can be used to take down even the biggest of corporate or web servers with a single machine as small as a Raspberry Pi.
The flaw, dubbed SMBLoris by RiskSense’s Sean Dillon and Zach Harding, is essentially a remote denial-of-service attack that can freeze and crash a server by using only 20 lines of code and a microcomputer.
Now that SMBLoris is dropped at DEF CON, time to drop it on Twitter:
The first 3 bytes of an SMB connection are an NBSS header,
— Jenna Magius (@JennaMagius) July 29, 2017
The flaw was already privately disclosed to Microsoft in early June but in response, Microsoft said that the issue will not be patched since the SMB service should be blocked from internet access via firewall anyway. The company classified the flaw as a moderate issue and it will not take further actions to fix it since it does not pose a serious security danger.
Regarding Microsoft’s decision not to patch the issue, Dillon said, “The reason they say it’s a moderate issue is because it does require opening many connections to the server, but you could do it all from a single machine, and a Raspberry Pi could take down the beefiest server.”
This suggests if precautions are not taken, massive Distributed-Denial-of-Service (DDoS) attacks can be launched from single machines, without the need for an army of botnets.
How to protect yourself from SMBLoris
Although SMBLoris is more of a threat to servers, it can also be used to crash and freeze personal computers if found vulnerable. Since SMBLoris affects all versions of SMB, the best way to protect your system is to block off ports 445 and 139 in your firewall from the internet and limit their access internally.
These ports are typically closed or in stealth mode anyway but if you want to make sure, you can test your firewall for any exposed ports. To do that, you can use this free online tool to check if your computer is vulnerable to port scanners.