usd HeroLab Top 5 Vulnerabilities 2020: SMB 1.0 & SMB Signing

7. September 2021

During penetration tests our security analysts repeatedly uncover gateways in IT systems and applications that pose significant risks to corporate security. They increasingly identify the same vulnerabilities in different IT assets, some of which have been known for years. In our mini-series, we present our top 5 most notable vulnerabilities from 2020. Part 5: SMB 1.0 & SMB signing

Vulnerability Background

The Server Message Block protocol (SMB) is a widespread network protocol that is mainly used to exchange files and print jobs. It plays a central role in Windows environments in particular, since also remote procedure calls (RPC) are often transmitted via SMB.

SMB Signing is an additional mechanism to increase the security of the SMB protocol. Each SMB packet is signed by the sender and verified by the receiver. Attackers cannot modify signed SMB packets, which limits the amount of possible attacks.

Exemplary hacker attack and its consequences

One of the oldest versions of the SMB protocol is SMBv1, which has general security problems in addition to very well-known vulnerabilities such as EternalBlue or SMBLost. The latest version of the SMB protocol is SMBv3, which has significant security advantages over its predecessors.

Within our annual statistics, both SMBv1 and missing SMB signing occurred quite frequently. This is a surprising result considering that the statistics also include application-only tests and pentests on non-Windows based environments. The consequences of a successful exploit can be critical.

Even newer versions of the SMB protocol can be vulnerable to attacks. One of the most well-known of these attacks is the NTLM relay attack, in which the authentication of a user is passed on to another system. If no signing of packets is enforced at the SMB level, an attacker can thus impersonate another user, as shown schematically below:

(own design)

Recommended measures

The SMBv1 protocol is heavily outdated and all modern devices support the use of newer SMB versions as well as SMB signing. As long as legacy systems do not play a role, the use of SMBv1 should be avoided and SMB signing should be enforced within the server configuration. In legacy environments, care should be taken to ensure a sufficient patch level of the corresponding systems, and external access to the corresponding networks should be well secured.

Bitte beachten Sie, daPlease note that this is a very general recommendation for security measures. We are happy to support you with individual solutions. Feel free to contact us.



Read more about our top 5 most notable vulnerabilities and other exciting topics in our 2020 Annual Report.

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories