SMBLoris

%3CLINGO-SUB%20id%3D%22lingo-sub-94285%22%20slang%3D%22en-US%22%3ESMBLoris%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-94285%22%20slang%3D%22en-US%22%3E%3CP%3EFrom%20what%20I%20understand%2C%20SMBLoris%20is%20very%20dangerous%20when%20running%20from%20inside%20an%20organization%20and%20at%20the%20same%20time%20easy%20to%20exploit.%20Why%20did%20you%20choose%20not%20to%20release%20a%20patch%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-96678%22%20slang%3D%22en-US%22%3ERe%3A%20SMBLoris%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96678%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%20SMBLoris%20has%20no%20known%20attack%20vehicles%2C%20just%20a%20demo%20proof%20of%20concept.%20MSRC%20rated%20it%20as%20Moderate%2FDoS%20because%20it%20is%20blocked%20at%20the%20network%20edge%20by%20normal%20port%20445%20firewall%20rules.%20Inside%20of%20a%20network%2C%20its%20usage%20would%20only%20announce%20and%20pinpoint%20the%20attacker%20-%20a%20single%20node%20sending%20a%26nbsp%3Blarge%20number%20of%20unauthenticated%20SMB%20connections.%20Those%20connections%20can%20then%20also%20be%20temporarily%20blocked%20by%20individual%20node's%20own%20software%20firewalls%20blocking%20445%20until%20the%20attackers%20inside%20the%20LAN%20are%20removed.%20Since%20the%20attack's%20novelty%20is%20that%20only%20a%20single%20node%20is%20involved%2C%20a%20network%20capture%20running%20against%20the%20target%20that%20you%20temporarily%20exposed%20would%20quickly%20identify%20the%20client.%20It%20would%20only%20be%20somewhat%20effective%20in%20an%20entirely%20unmanaged%20network%20with%20no%20permanent%20IT%20staff.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20is%20likely%20we%20will%20patch%20this%20in%20a%20later%20semi-annual%20release%20of%20Windows%20%2FWindows%20Server%2C%20in%20order%20to%26nbsp%3B%20prevent%20unmanaged%20consumer%20users%20with%20no%20firewalls%20configured%20from%20being%20affected.%20Moderate-rated%20vulnerabilities%20often%20get%20fixed%20in%20this%20manner%20for%20the%20same%20of%20completeness.%20To%20have%20that%20change%20backported%20is%20much%20less%20likely%20though.%20The%20patch%20itself%20carries%20some%20application%20compatibility%20risk%20(as%20do%20all%20rate%20limiters)%2C%20perhaps%20leading%20to%20affecting%20customers%20unnecessarily%2C%20so%20it%20must%20be%20designed%20and%20test%20carefully.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-94309%22%20slang%3D%22en-US%22%3ERE%3A%20SMBLoris%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-94309%22%20slang%3D%22en-US%22%3EThank%20you.%20By%20the%20way%2C%20I%20had%20to%20edit%20my%20profile.%20I'm%20Torsten%2C%20not%20Alexei.%20Never%20entered%20this%20name...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-94295%22%20slang%3D%22en-US%22%3ERE%3A%20SMBLoris%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-94295%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20question!%20The%20owner%20of%20SMB%20isn't%20in%20the%20room%20right%20now%2C%20but%20we've%20reached%20out%20to%20get%20your%20question%20answered.%3C%2FLINGO-BODY%3E
New Contributor

From what I understand, SMBLoris is very dangerous when running from inside an organization and at the same time easy to exploit. Why did you choose not to release a patch?

3 Replies
Thanks for the question! The owner of SMB isn't in the room right now, but we've reached out to get your question answered.
Thank you. By the way, I had to edit my profile. I'm Torsten, not Alexei. Never entered this name...

Hi. SMBLoris has no known attack vehicles, just a demo proof of concept. MSRC rated it as Moderate/DoS because it is blocked at the network edge by normal port 445 firewall rules. Inside of a network, its usage would only announce and pinpoint the attacker - a single node sending a large number of unauthenticated SMB connections. Those connections can then also be temporarily blocked by individual node's own software firewalls blocking 445 until the attackers inside the LAN are removed. Since the attack's novelty is that only a single node is involved, a network capture running against the target that you temporarily exposed would quickly identify the client. It would only be somewhat effective in an entirely unmanaged network with no permanent IT staff.

 

It is likely we will patch this in a later semi-annual release of Windows /Windows Server, in order to  prevent unmanaged consumer users with no firewalls configured from being affected. Moderate-rated vulnerabilities often get fixed in this manner for the same of completeness. To have that change backported is much less likely though. The patch itself carries some application compatibility risk (as do all rate limiters), perhaps leading to affecting customers unnecessarily, so it must be designed and test carefully.