SMBLoris 0-day vulnerability presented on Defcon 25

There is a new 0-day vulnerability called SMBloris presented yesterday ny Sean Dillon @zerosum0x0 DEFCON 25 which allows remote attacker to run a DoS attack against SMB called SMBLoris. Remote attacker can lunch DoS attack by requesting multiple SMB requests to the remote machine. SMBLoris vulnerability can be rendered with a single machine and a low bandwidth connection as well. Hence the name is similar as SlowLoris (Similar DoS Vulnerability on Web Servers). Recommended Action: While this has been reported earlier to Microsoft, Microsoft set the risk rating as Medium. and wont issue any Patch for this vulnerability on SMB v1. Hence the best practice is as follows:

1- Assess dependency on SMBv1

2- Block Ingress SMBv1 request on Internet Facing Servers

3- For those dependent Servers and Applications, Monitor the ingress Multiple SMB request connections on port 445 and raise the Flag for it, (Detail: Log all incoming SMB request on firewall, and then define a role on SIEM to detect and raise a flag for multiple SMB request coming from a single source.)

4- and plan to upgrade to the higher SMB version (SMBv2,SMBv3)

5- For independent machines and application, Block SMBv1.

Reference:

1-http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html

2-https://isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/

Advertisements

Windows Critical Security Update- Remote Code Execution

A new vulnerability has been discovered that allows remote code execution by opening specially crafted documents or untrusted web pages which the OpenType fonts has been embedded. The target of this vulnerability are Windows Vista (SP2), Windows Server (2008 & 2012, Core Installation) and windows server (2008 & 2012) R2 (32/64), windows 7 (32/64), as well as Windows 8 and 8.1 and RT 8.0 and RT 8.1.

Metasploit Lovers:

Metasploit hasn’t updated their exploits for this vulnerability yet.

For more information refer to the following link:

https://technet.microsoft.com/en-us/library/security/MS15-078