SMBLoris 0-day vulnerability presented on Defcon 25

There is a new 0-day vulnerability called SMBloris presented yesterday ny Sean Dillon @zerosum0x0 DEFCON 25 which allows remote attacker to run a DoS attack against SMB called SMBLoris. Remote attacker can lunch DoS attack by requesting multiple SMB requests to the remote machine. SMBLoris vulnerability can be rendered with a single machine and a low bandwidth connection as well. Hence the name is similar as SlowLoris (Similar DoS Vulnerability on Web Servers). Recommended Action: While this has been reported earlier to Microsoft, Microsoft set the risk rating as Medium. and wont issue any Patch for this vulnerability on SMB v1. Hence the best practice is as follows:

1- Assess dependency on SMBv1

2- Block Ingress SMBv1 request on Internet Facing Servers

3- For those dependent Servers and Applications, Monitor the ingress Multiple SMB request connections on port 445 and raise the Flag for it, (Detail: Log all incoming SMB request on firewall, and then define a role on SIEM to detect and raise a flag for multiple SMB request coming from a single source.)

4- and plan to upgrade to the higher SMB version (SMBv2,SMBv3)

5- For independent machines and application, Block SMBv1.





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s