A security researcher says a vulnerability, first discovered nearly two decades ago, remains a major concern as it lets hackers steal confidential login data from any Windows computing device and exploit nearly three dozen software products.
The security risk, called Redirect to SMB, impacts all Windows PCs, tablets and servers as well as software solutions from some of the biggest names, including Apple, Oracle and Symantec. The exploit was disclosed publicly on Monday, April 13, by Carnegie Mellon University's Computer Emergency Response Team (CERT).
Here is how CERT describes how the vulnerability works:
"Software running on Microsoft Windows that utilizes HTTP requests can be forwarded to a file:// protocol on a malicious server, which causes Windows to automatically attempt authentication via SMB to the malicious server in some circumstances. The encrypted form of the user's credentials are then logged on the malicious server. This vulnerability is alternatively known as 'Redirect to SMB.'"
Brian Wallace of Cylance uncovered the vulnerability and reported in a blog post that his company spent six weeks working with CERT and other tech vendors to reduce the potential threat and find a fix.
According to Cylance, the Redirect to SMB threat lets cyber thieves hijack communications between web servers using a man-in-the-middle attack. It then sends out a malicious server message block that forces servers to give up user data such as passwords and usernames.
For its part, Microsoft is downplaying the reported security issue and believes the threat is not as severe as CERT, Wallace and Cylance claim.
"Several factors would need to converge for a 'man-in-the-middle' cyber attack to occur. Our guidance was updated in a Security Research and Defense blog in 2009, to help address potential threats of this nature," stated Microsoft. "There are also features in Windows, such as Extended Protection for Authentication, which enhance existing defenses for handling network connection credentials."
CERT, as part of its announcement, offered a few potential secure workarounds:
- Block outbound SMB
- Consider blocking outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN
- Update NTLM group policy
- Use a strong password and change passwords frequently. Since the credentials are provided to the attacker in encrypted form, a stronger password may require more time to break the encryption. Changing passwords regularly further deters brute-force attacks against the encryption.