Security News Microsoft Will Not Patch SMBLoris Vulnerability

[LASER_oneXM]

Researchers contacted Microsoft in June, but after separate reviews from two different internal security teams, Microsoft said it doesn't view this issue as a security bug. This answer means the company declined to fix the bug in an urgent security update but agreed that it's a bug and it will fix it in the upcoming future in a regular bugfix update at a time of its choosing.

Microsoft's response was an issue with the two researchers, who said that an attacker with "rudimentary network programming knowledge" could exploit SMBLoris and crash critical systems with port 445 exposed to the Internet.

SMBLoris affects all three SMB protocol versions + Samba
The two discovered a flaw in the SMB protocol and affects all three versions — SMBv1, SMBv2, and SMBv3 — but also the Samba Linux server that provides SMB interoperability with Linux systems.

The vulnerability allows an attacker to open a connection to a remote computer via the SMB protocol and instruct that computer to allocate RAM to handle the connection. The attacker doesn't have to be authenticated.

The SMBLoris flaw is dangerous because it allows an attacker to open tens of thousands of connections to the same machine, exhausting its RAM and potentially crashing the target's computer.

The vulnerability does not allow remote code execution, which means an attacker can't take over vulnerable computers, but only crash them, at best.

 

[brod56]

The title is misleading. MS will fix it, but it is not a priority.