Maksim Kabakou - Fotolia
An unreleased cache of cyberweapons that reportedly contains a zero-day exploit targeting the Windows Server Message Block protocol has led US-CERT to remind users not to use an outdated version of SMB.
The hacking group known as the Shadow Brokers has not yet released the full dump of the National Security Agency Equation Group hacking tools, so the existence of a Windows SMB exploit has not been confirmed. Even so, US-CERT said enterprises should disable Windows SMB version 1 and block all SMB traffic at network boundaries. SMB enables shared access to network resources and was introduced in Windows 95.
"In response to public reporting of a potential Server Message Block vulnerability, US-CERT is providing known best practices related to SMB," US-CERT wrote in an advisory. "This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems."
John Chirhart, federal technical director at Tenable Network Security, headquartered in Columbia, Md., said admins may not even know if Windows SMB v1 is enabled on their networks.
"Surprisingly, there is still a fair amount of SMB v1 enabled on networks, especially legacy systems that have yet to be modernized and/or replaced," Chirhart told SearchSecurity via email. "SMB v1 is enabled by default on certain operating systems, but not all. Most users who have SMB v1 either don't realize it is enabled, or don't fully understand the risk it poses to their network."
Richard Henderson, global security strategist for Absolute Software Corp., an endpoint security and data risk management company headquartered in Vancouver, B.C., agreed there might be a large number of vulnerable servers.
"SMB v1 is a protocol that's been around for well over three decades now, and [it] was created in an era much different than what we know now," Henderson told SearchSecurity. "It's not safe to use, and Microsoft has been asking customers for literally years to stop using it unless absolutely necessary."
Mark Longworth, CEO of Shevirah Inc., a mobile security startup based in Herndon, Va., told SearchSecurity Windows SMB v2 has been in use for more than 10 years and is far more secure because it doesn't require the NetBEUI layer, which causes many of the security issues found in SMB v1.
"Enterprises still using SMB v1 are likely those with Windows Server 2003 -- or earlier -- servers and/or Windows XP desktops. Microsoft ceased support for Windows XP in 2014 and Windows 2003 in 2015," Longworth said. "Enterprises still operating these are already overdue for security recapitalizations, regardless of the US-CERT advisory."
Experts widely agreed that disabling Windows SMB v1 should not be difficult and would require little more than a registry edit, as described in an advisory by Microsoft.
Henderson said the US-CERT advisory is interesting and proactive, but noted that any enterprise not already mitigating the risk of Windows SMB v1 "likely has a very important reason why."
"When it comes to US-CERT taking the initiative to get some info out there, even though the Shadow Brokers disclosed vulnerability isn't confirmed, the advice they're offering is something that should be followed, and should have been followed by the majority of systems administrators years ago," Henderson said.
John Bambenek, threat systems manager at Fidelis Cybersecurity, based in Bethesda, Md., said the advisory by US-CERT was more of a reminder of best security practices than a warning of immediate danger.
"I view this advisory as using the vulnerability as a hook to remind people that there are best practices that they really should be doing, regardless of a vulnerability or not," Bambenek told SearchSecurity. "When it comes to security awareness, sometimes you need to wait for excuses to remind people of what they should be doing anyway."
Learn more about addressing the zero-day vulnerabilities exposed by the Shadow Brokers.
Find out more about taking Windows SMB v3 to production.
Get info on the fallout from the Equation Group cyberweapon leak.