The Websense Security Labs™ team is aware of a recent discovery that provides attackers with the potential to intercept sensitive user credentials (username, domain, and hashed password). The attack relies on an end user being directed to, and authenticating against, an attacker-controlled SMB (Server Message Block) server. SMB is most often used to access file shares across networks.
Several new ways have been discovered to induce an 18-year-old vulnerability in the handling of such traffic. The attack type is being called “Redirect To SMB.” Several popular applications are vulnerable to this attack method. Reports indicate that while no attacks have been seen in the wild at the time of this writing, the implications of the vulnerability are suitably severe to warrant a triage of the issue and a description of how your organization could be affected.
Is this is a new discovery?
The discovery of new attack methods has been achieved only recently. Vulnerability Notes Database announced the issue to the public based on analysis by Cylance.
The issue has been assigned designation VU#672268.
How would the attack work?
The “Redirect To SMB” attack describes any method used to send users to, and authenticate them against, a malicious SMB server. Username, domain, and the (typically) hashed password can be intercepted.
The following scenarios have been illustrated:
- A website could redirect a user to an SMB server under the attacker’s control. This website could be disseminated using the email vector, via malvertising (malicious advertisements) or simply by luring the end user to a website that redirects.
- A man-in-the-middle (MITM) attack could intercept user traffic and redirect to the appropriate SMB server.
- The update mechanisms of numerous products are said to to be vulnerable (Adobe® Reader®, Apple® QuickTime®, and others) due to their using HTTP requests to access software updates. A MITM attack could intercept and change the destination of the request to a SMB server under the attacker’s control.
Current thinking proposes the following mitigation advice. Not all may be suitable for your organization.
- SMB traffic operates over TCP 139 and TCP 445. This communication could be blocked using a device such as a firewall, particularly the network gateway firewall, to prevent only SMB communications to destinations outside of your network.
- Apply any applicable software patches from vendors as they are released.
- End users should be encouraged to use strong passwords to increase the time required for a simple brute force of any hashing algorithms.
- Additional mitigation methods are described in the Cylance white paper located here.
Websense Security Labs will continue to monitor any developments related to this issue.
By Carl Leonard, Principal Security Analyst, Websense
About Websense, Inc.
Websense, Inc. is a global leader in protecting organisations from the latest cyber-attacks and data theft. Websense TRITON® comprehensive security solutions unify web security, email security, mobile security and data loss prevention (DLP) at the lowest total cost of ownership. More than 11,000 enterprises rely on Websense TRITON security intelligence to stop advanced persistent threats, targeted attacks and evolving malware. Websense prevents data breaches, intellectual property theft and enforces security compliance and best practices. A global network of channel partners distributes scalable, unified appliance and cloud-based Websense TRITON solutions.