Beware SMB1, the end draws near. At Microsoft’s June 2017 Interop event, Microsoft Principle Program Manager Ned Pyle delivered the eulogy for the outdated – and extremely vulnerable – version of the Server Messaging Block (SMB) protocol.
One simple, yet powerful slide from Mr. Pyle laid out the grave future for SMB1:
Why would device manufacturers do this? We’ve covered some of the reasons in a previous blog post, so you can get more details there. But all network device manufacturers should be preparing for the inevitable day Microsoft pulls the plug on SMB1 for good. Officially, SMB1 is in a deprecated state, though not fully removed. According to Jose Barreto, Principal Program Manager at Microsoft, “the fact that the feature is deprecated is a warning that it could go away at any time.”
SMB1 is full of vulnerabilities
Since SMB’s inception in the 1990s, the protocol has seen three series of versions: SMB1, SMB2, and the present-day SMB3. SMB1, the first version of the protocol, was deemed slow and unsafe years ago. Up until 2017, nearly 50 vulnerabilities have been found in SMB1, resulting in 21 patches since 2016 alone. One such vulnerability was discovered right here at Tuxera and documented in Microsoft Security Bulletin MS16-114. I spoke with Oleg Kravtsov, Lead Developer for the Tuxera SMB Server Implementation (now called Fusion File Share by Tuxera as of 2019), to tell us a bit more about the details of this vulnerability. Oleg was one of the engineers responsible for uncovering the issue found in MS16-114, which was cause enough for Microsoft to release a security update to fix it.SMB torture testing identifies issues
Oleg explains, “When we identified the vulnerability, we were performing an SMB torture test. Our team has extended the traditional torture test suite to include over 400 of our own tests, bringing the total number of tests to nearly 1,300. The torture test was designed to show how Fusion File Share by Tuxera – and Windows SMB server – would behave under a pre-defined sequence of requests on a shared file. We were purposefully trying to make both servers perform strangely. What it means in practice is we’re not only testing Tuxera’s own implementation, but also the Windows specification itself. As a result, if we see some unusual behavior in Windows, we investigate the issue and send our findings to Microsoft for review.” The MS16-114 vulnerability discovered by Tuxera requires an authenticated user (logged in with a password, or as guest when the guest user is enabled), to send a predefined sequence of packets to the server. Oleg continues, “The vulnerability was only revealed through one of our own tests. The original SMB torture test suite would not have otherwise revealed this issue. What we found when using our combination of requests made to a file was that the Windows SMB server replied a null response. That meant something didn’t go right. That was a surprise for us. So, we decided to test what would happen if we tried to play with the file in question – just like a hacker might. When we sent another trivial request to that file, we managed to completely crash Windows.” That meant that theoretically, if an attacker were to get the credentials to the system and log in to Windows SMB1 Server, they could send the sequence of packets we identified and entirely crash people’s Windows systems. Once the Tuxera SMB team discovered this potentially serious vulnerability, they reported it right away to Microsoft. The team also demonstrated the crash at a Microsoft 2016 Interop event.SMB3 server is secure – but only if SMB1 is disabled
The current version, SMB3, includes modern-day security features such as SMB Encryption and improved digital message signing that protect networks from cryptoworms and other ransomware. But guess what? There is an alarming amount of old and new routers, network attached storages (NAS), and other network devices that still rely on the unsecure, vulnerable SMB1 version! This is a grave concern because according to Mr. Pyle, whenever the old SMB1 version is enabled, all security features are rendered meaningless. This is because the attacker can choose to downgrade the protocol used to SMB1. Let that sink in for a moment: if your device manufacturer enables SMB1, it completely negates all the advanced security features provided by SMB3! If you want to check if your devices might be vulnerable, Mr. Pyle keeps a tally on SMB1-dependent devices.
Why would device manufacturers do this? We’ve covered some of the reasons in a previous blog post, so you can get more details there. But all network device manufacturers should be preparing for the inevitable day Microsoft pulls the plug on SMB1 for good. Officially, SMB1 is in a deprecated state, though not fully removed. According to Jose Barreto, Principal Program Manager at Microsoft, “the fact that the feature is deprecated is a warning that it could go away at any time.”