pixel_dreams - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

'Redirect to SMB' vulnerability affects all versions of Windows

The new 'Redirect to SMB' vulnerability is an update to an 18-year-old flaw that can lead to man-in-the-middle attacks on all versions of Windows.

A new twist on an old vulnerability has been found to affect all versions of Windows, and could lead to man-in-the-middle attacks.

In a blog post, Brian Wallace, senior researcher for the SPEAR team at Irvine, Calif.-based security firm Cylance Inc., Monday described an attack called "Redirect to SMB," which is said to affect all versions of Windows as well as other software from 31 companies, including Adobe Systems Inc., Apple Inc., Box Inc., Microsoft, Oracle Corp. and Symantec Corp.

Cylance said the vulnerability could be exploited by attackers to perform man-in-the-middle attacks and steal user credentials by hijacking communications with legitimate Web servers.

Redirect to SMB is based on research conducted 18 years ago by Aaron Spangler, and is an extension of a vulnerability that Microsoft promised to patch in 2009, but ultimately did not, only releasing an advisory and workaround method.

The original vulnerability (CWE-201) was first published in July 2008. The attack could be performed by convincing the target to click on a link that leads to a URL that begins with file://, which would cause the operating system to attempt to authenticate with a server using the Server Message Block (SMB) protocol, and allow an attacker to crash the target machine.   

The Redirect to SMB attack extends the original method by first creating a way to redirect the target from an HTTP server to an SMB server, and then allowing the transmission of credential data over HTTP/HTTPS. Wallace said that Cylance found four commonly used Windows API functions that would allow for redirection from HTTP/HTTPS to SMB, which led to the discovery that this flaw also affected other software including commonly used applications like Adobe Reader, Apple iTunes and Internet Explorer; developer tools like GitHub for Windows; and even antivirus software like Symantec's Norton Security Scan.

Wallace said that the vulnerability would most likely be used in a targeted attack by an advanced threat actor because it requires control over some components of a victim's network traffic. However, Wallace also noted that an attack could be launched via a malicious ad or through a shared Wi-Fi access point.

Wallace said that the best mitigation method is to block outbound traffic from TCP ports 139 and 445, either at the endpoint or at the network gateway. Wallace warned that blocking TCP 139 will block all SMB communication, which may disable other features that depend on SMB.

Microsoft has not released a patch for the vulnerability, but a spokesperson did point to the security guidance from 2009, which suggests the same TCP blocking workaround.

Microsoft also noted that Windows features like Extended Protection for Authentication would help mitigate threats by enhancing existing defenses for handling network connection credentials.

Next Steps

Learn about security testing for unvalidated redirects.

Dig Deeper on Microsoft Patch Tuesday and patch management