How SMBv1 Leaves Your Organization’s Server Open to Cyberattacks

Servers are the core of every organization’s I.T. operations. Many organizations, however, leave this core component open to cyberattacks through SMBv1.

What Is SMBv1?

SMBv1, which stands for Server Message Block version 1, was created by Barry Feigenbaum in the early 80s as a file sharing protocol for DOS. In the 90s, Microsoft started using SMBv1 in its operating systems as a protocol for sharing access to files, printers and other resources on a network.

SMBv2, which stands for Server Message Block version 2, was introduced in Windows Vista and Windows Server 2008. SMBv3 was introduced in Windows 8 and Windows Server 2012. In 2014, Microsoft publicly regarded SMBv1 as obsolete and best avoided.

SMBv1 isn’t installed by default in the latest Windows operating systems. This over 30-year-old sharing protocol, however, can still be reinstalled in the latest Windows operating systems as older versions of Windows still use SMBv1. On May 12, 2017, Microsoftissued an emergency patch or security update to Windows operating systems that no longer receive mainstream support or update from Microsoft to fix a major security vulnerability in SMBv1.

Past Security Vulnerabilities of SMBv1

September 13, 2016 Security Vulnerability

On September 13, 2016, Microsoft issued a patchfixing a security vulnerability on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 operating systems, which could allow “remote code execution if an authenticated attacker sends specially crafted packets” to SMBv1 that could result in a denial of service.

In remote code execution, an attacker accesses someone else’s computer and makes changes to it regardless where the computer is geographically located. In a denial of service, an attacker prevents legitimate users from accessing their own computers.

September 16, 2016 Security Vulnerability

On September 16, 2016, in a blog post entitled “Stop using SMB1“, Ned Pyle, Principal Program Manager in the Microsoft Windows Server High Availability and Storage group, advised users of Windows operating systems to stop using SMBv1. According to Pyle, a security loophole in SMBv1 allows an attacker to conduct man-in-the-middle attack – a form of cyberattack that takes place when data is sent between a computer and a server and an attacker can get in between and spy.

January 16, 2017 Security Vulnerability

On January 16, 2017, the United States Computer Emergency Readiness Team (US-CERT)said that Server Message Block (SMB), in general, regardless of versions “could allow a remote attacker to obtain sensitive information from affected systems.”

May 12, 2017 Security Vulnerability

On May 12, 2017, Microsoft issued an emergency patchfixing the security vulnerability on Windows XP, Windows 8 and Windows Server 2003 that again could allow remote code execution if an attacker sends specially crafted messages to SMBv1. The emergency patch was issued by Microsoft in response to the worldwide May 12, 2017 WannaCry attack.

WannaCry is a malicious software (malware) that denies computer users access to their computer systems or data until a ransom is paid. In less than 24 hours of its release, it’s estimated that more than 300,000 computers in 150 countries were infected by WannaCry. Users of Windows XP, Windows 8 and Windows Server 2003 were particularly hit by WannaCry as at the time of the main attack on May 12, 2017, these 3 operating systems no longer receive mainstream support, that is, Microsoft had ceased issuing patches to these operating systems.

WannaCry was also able to infect hundreds of thousands of computers in less than 24 hours compared to previous SMBv1 exploitations as WannaCry has a worm capability, meaning it self-replicates itself and spreads to other computers connected to a server without human interaction. 

Cybersecurity Best Practices

SMBv1 leaves your organization’s server open to cyberattacks. It’s, therefore, important to stop using this more than 30-year-old protocol as soon as possible.

Being a software created in the 80s, SMBv1 wasn’t designed to meet the modern-day cyber environment – an environment marred by cyber attackers, trove of critical data and near-universal computer usage. As shown in the above-mentioned examples, this protocol is marred by security vulnerabilities that can easily be exploited by attackers.

Aside from the security vulnerabilities presented by SMBv1, Pyle said this old protocol isn’t efficient and isn’t usually necessary. “When you use SMB1, you lose key performance and productivity optimizations for end users,” Pyle said. He added that “there are far fewer cases left in modern enterprises where SMB1 is the only option.”

Here are the key security protections offered by later SMB protocol versions that aren’t found in SMBv1 according to Pyle:

  • Pre-authentication Integrity (SMB 3.1.1+). Protects against security downgrade attacks.
  • Secure Dialect Negotiation (SMB 3.0, 3.02). Protects against security downgrade attacks.
  • Encryption (SMB 3.0+). Prevents inspection of data on the wire, MiTM [man-in-the-middle] attacks. In SMB 3.1.1 encryption performance is even better than signing!
  • Insecure guest auth blocking (SMB 3.0+ on Windows 10+). Protects against MiTM attacks.
  • Better message signing (SMB 2.02+). HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB 2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+. Signing performance increases in SMB2 and 3.

As one of SMB security best practices, US-CERT recommends to IT administrators to consider disabling SMBv1 and blocking all versions of SMB, not just SMBv1.

Blocking all versions of SMB, not just SMBv1, is one of cybersecurity best practices especially for the server holding your organization’s critical data as using SMB, regardless of versions, by its very nature is a protocol that allows for sharing access to files, printers and other resources.

If you need help with the security of your servers and data, connect with ustoday and we will be happy to help.

Leave a Reply

Your email address will not be published. Required fields are marked *