Client advisory: Server message block vulnerability

Our Response team recommends that you disable server message block (SMB) if it is not necessary on your network.

Cyber Advisory 3 min 25 Oct, 2021

Take a few moments to read through this guidance and share with the person responsible for IT security within your business to ensure your computer systems stay safe.

 

What is Server Message Block (SMB)?

Server Message Block (SMB) is a Windows protocol that allows the sharing of files and other data over an internal network, such as sending data to printers. However, it lacks many modern security features and is also rife with vulnerabilities. It is still suitable for internal traffic but should not be exposed to the internet under any circumstances.

 

Why is SMB insecure?

Because SMB is a protocol designed for the transferal of files over an internal network, usually a trusted environment, it lacks many sophisticated security checks. That makes it an attractive target for malicious actors. With files being sent and received over it, it gives them an opportunity to extract data and inject ransomware or other malware with ease.

In addition to this, some systems are still running older, insecure versions of SMB that have numerous vulnerabilities attributed to them. The infamous WannaCry ransomware from 2017 exploited a vulnerability in SMB version 1, which allowed an attacker to install malware on vulnerable clients and propagate it across networks

 

What should I do?

We recommend that you disable SMB if it is not necessary on your network. If it is necessary, we strongly advise you do not expose it to the internet and only allow internal use. In the modern age there are many faster and more secure means of file transfer available such as using the cloud or even emails.

If using SMB within your internal environment, ensure that you are using the most up to date version. At the time of writing, SMB v3.1.1 is the most recent version, and we recommend disabling SMBv1 and SMBv2 for both internal and external use. This will help restrict movement between devices in your network in the unfortunate instance an attacker gains access to your environment.

We recommend you observe good security practices. This is true for all areas of your environment, including any internal SMB you may be running. Use secure passwords, limit the number of unsuccessful login attempts permitted for an account, and operate on the principle of least privilege (POLP). The UK’s National Cyber Security Centre’s advice on passwords can be found at https://www.ncsc.gov.uk/collection/passwords/updating-your-approach.