Evidence of SMB/NBT exploits


#1

Hello,

We’ve spotted an open NetBIOS port today (UDP 137) that was being used for reflection attacks. That is to say, an attacker sends a crafted request to UDP 137 on the server, with a spoofed IP source address. The response includes more data than the request (in this case, about three times as much) and is routed back towards the real owner of the source IP – often in some far away corner of the Internet.

It’s common to see open DNS resolvers, NTP servers and (potentially) insecure SNMP services exploited in this manner, but this might be the first time that I’ve seen NetBIOS actively utilised for nefarious purposes. As it stands, there’s a little bit of this happening across our network, but it doesn’t seem to be amounting to much in the way of traffic as yet.

It is worth pointing out that in no way does such misuse of a host on our network indicate that data security will have been compromised on your server, and in most cases there will likely be little adverse effect felt by the owner of the open NetBIOS service, but it is Bad For The Internet in many ways (as you’ll know if you’ve been on the receiving end of a distributed attack).

Any customers (or non-customers!) with Samba (CIFS/SMB/NBT) services listening globally, may see UDP flows from strange IPs with a source port of 80, to the NBD (nmbd) service on UDP 137. Remember: those aren’t the attackers, but the IPs of those your server is being used to attack.

First and foremost, however, please ensure that you have updated all Samba/NetBiOS packages and restarted those services. In addition, it is recommended that you firewall connections to the ports involved, such that only your white-listed addresses are permitted to access them.

Finally, I should mention that CVE-2015-02401 was recently issued against Samba, and identifies a potentially exploitable remote-code execution vector in that software, which really is a threat to your server’s security instead of being a nuisance for someone else.

Get checking, and get patching. I hope we won’t have to pester people via email, but it might come to this if open NetBIOS services see a sharp increase in abuse.

Tom


#2

For the record, we were seeing “NetBIOS Name Service” packets containing:

CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..!..

which translates to (thanks Wireshark):

Name: *
Type: NBSTAT
Class: IN

The server then replied with a longer packet containing details about the NetBIOS services running. This is all a standard part of the protocol and is a perfectly ordinary part of its functionality.

However, as @thill points out, like DNS and NTP, the nature of the underlying protocol, UDP, leaves this service open to reflection attacks and as such should be firewalled to allow access only to trusted networks.