What Is SMB Protocol and Why Is it a Security Concern?

What Is SMB Protocol?

Short for Server Message Block, SMB is an application layer protocol that allows for file, printer, device sharing and inter-process communication (IPC) between applications on a network through a client-server architecture. In other words, computers (SMB clients) on a network can connect to SMB servers to access shared files and directories or perform tasks like printing over the network.

Background

SMB was created by IBM in 1984 for local file sharing purposes. In time, multiple variations of the SMB protocol were developed to enhance its features and meet the evolving network and security requirements. Generally speaking, SMBv2 reduced the chattiness of the protocol and SMBv3 provided further performance enhancements and strong end-to-end encryption. A brief overview of the SMB versions are given below:

• SMBv1: The first version of SMB was released in 1984 by IBM for file sharing in DOS.
• CIFS: With Windows 95, Microsoft released an updated version of SMBv1 and renamed it as CIFS, short for Common Internet File System.
• SMBv2: With Windows Vista, Microsoft released SMBv2, which came with notable performance improvements and increased efficiency.
• SMBv2.1: With Windows 7, SMBv2.1 was released with further performance improvements.
• SMBv3: With Windows 8, SMBv3 was released with significant security updates, including end-to-end encryption.
• SMBv3.02: With Windows 8.1, SMBv3.02 provided further security enhancements, especially due to the ability to disable the insecure SMBv1.
• SMBv3.1.1: In 2015, with Windows 10 and Windows Server 2016, the latest version of SMB, SMBv3.1.1, was released. This version provides protection against man-in-the-middle attacks and supports AES-128-GCM (Advanced Encryption Standard-128 bits) encryption and implements pre-authentication integrity checks by SHA-512 (Secure Hashing Algorithm).

How Does SMB Protocol Work?

To begin with the communication model, SMB works in a client–server architecture. In this model, SMB servers provide network resources, such as files or printers to the other computers, known as clients. Through this feature, users on different remote devices can collaborate on shared files and print their documents on shared printers over a network.

In addition to this primary functionality of shared files and printers on serves, SMB also provides an authenticated inter-process communication (IPC) among processes running on remote computers. For this purpose, a network share, known as IPC share (ipc$), is used on Windows computers to facilitate communication between processes and remote computers.

With regards to OSI model, SMB operates at layer 7 as an application layer protocol and relies on lower level protocols for transport. In early versions of Windows, SMB ran on top of the NetBIOS protocol and used ports 137, 138 and 139 (UDP ports 137, 138 and TCP ports 137, 139). As a session layer protocol NetBIOS (Layer 5 in OSI model) allows applications to communicate over a local area network (LAN) with device specific NetBIOS names in addition to the IP addresses. However, since Windows 2000, SMB protocol runs directly on TCP/IP and uses port 445.

What is Samba?

SMB is a Windows specific protocol and non-Windows computers or servers on a network cannot interact with Windows computers through SMB.

For this reason, in 1992, an open source implementation of the SMB protocol, known as Samba, was released for Unix and Linux devices. It supports similar features with SMB, but it can not only communicate among Unix/Linux devices and servers but also with Windows clients.

Security Issues and Concerns

Especially due to its a wide array of features and complex implementation (which is contrary to the “Economy of Mechanism” principle), quite a number of SMB related vulnerabilities were discovered over the years and some of these vulnerabilities caused serious security issues around the world.

The most infamous of these vulnerabilities were 5 Remote Code Execution (RCE) vulnerabilities (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148) that affected Windows computers running SMBv1. Microsoft subsequently released a patch MS17-010) on March 14, 2017, however, experts advised users and administrators to take the additional step of disabling SMBv1 on all systems.

Multiple Windows SMB Remote Code Execution Vulnerabilities (MS17-010) 

"Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.
To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server."

Only a month after the patching of the MS17-010 vulnerabilities, a hacker group called Shadow Brokers leaked (on April 14, 2017) the Eternal Blue exploit that was allegedly developed by U.S. National Security Agency (NSA). Following this revelation, two infamous malware that propagated via the Eternal Blue exploit were detected. First, the WannaCry global ransomware attack took place in May 2017, affecting more than 200 000 computers that were not patched. Then, a more devastating ransomware with the name NotPetya affected even fully patched computers in June 2017 with EternalRomance and EternalBlue exploits. NotPetya caused more than $10 billion in damages according to a White House report.

To give recent examples, the following 2 notable SMB vulnerabilities affecting SMBv3.1.1 were discovered in 2020.

• CVE-2020-0796 (SMBGhost): A Remote Code Execution (RCE) vulnerability (with a CVSS rating of 10.0) that allows an attacker to run arbitrary code remotely due to a buffer overflow issue that exist in the SMB’s decompression function.
• CVE-2020-1206 (SMBleed): An information disclosure vulnerability (with a CVSS rating of 7.5) that allows a malicious user to obtain sensitive information by leaking kernel memory remotely due to a buffer overflow flaw that exist in the SMB’s decompression function.

Security Measures

Given the WannaCry and NotPetya malware and several other vulnerabilities, including the SMBGhost and SMBleed that were discovered on the most recent SMB version (v3.1.1), many network administrators and security professionals wonder if it should be deployed on networks or not. Generally speaking, the latest and patched version of SMB is considered as a secure protocol. However, to reduce any security risks due to SMB, the following actions should be taken:

• Do not use SMBv1 as it lacks encryption, is inefficient and due to its complex implementation other critical bugs similar to the MS17-010 vulnerabilities could come up in the future.
• Prefer the latest SMB version (SMBv3.1.1 as of this post’s date) whenever possible. SMBv3.1.1 is more efficient compared to the earlier SMB versions and provides state-of-the-art security features.
• As a best security practice (Least Privilege), SMB access should be restricted to only trusted networks and clients.
• Last but not least, if the functionality of SMB is not required, SMB should be disabled on Windows platforms to reduce the overall attack surface and leak as little fingerprinting information as possible to the attackers.

With efficiency, you focus in making the entire program faster. If there is one or two outlier cases, you typically don’t worry about them. But with security, it’s exactly the opposite. You secure the average but the outliers are really the ones you worry about. Because those are the ones that attackers look for.

Matt Bishop

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?