SMB’s widespread use and historical design flaws have made it a frequent target for attacks.
Below are notable vulnerabilities, including those relevant to networked environments where UEFI might interact with SMB:
1. EternalBlue (CVE-2017-0144):
• Description: A critical vulnerability in SMB 1.0, exploited by the WannaCry ransomware and NotPetya malware in 2017. It allowed remote code execution via a buffer overflow in SMB packet handling.
• Impact: Attackers could gain full control of a system without authentication, spreading malware across networks.
• UEFI Relevance: If a UEFI-based system uses network booting with an SMB server hosting boot images, a compromised server could serve malicious files, though this is rare.
• Mitigation: Disable SMB 1.0, apply Microsoft patches (MS17-010), and use firewalls to block unauthorized SMB traffic.
2. SMB Relay Attacks:
• Description: Attackers intercept SMB authentication requests (e.g., NTLM hashes) and relay them to other systems to gain unauthorized access.
• Impact: Compromised credentials can allow attackers to access sensitive SMB shares, potentially including those used for network booting.
• UEFI Relevance: Misconfigured SMB shares hosting UEFI boot images could be accessed by attackers if authentication is weak.
• Mitigation: Enable SMB signing to prevent tampering, use strong passwords, and disable NTLM in favor of Kerberos.
3. SMBv1 Deprecated Features:
• Description: SMB 1.0’s lack of encryption and weak authentication (e.g., LANMAN hashes) make it prone to exploitation.
• Impact: Legacy systems using SMB 1.0 are vulnerable to eavesdropping, session hijacking, and malware injection.
• UEFI Relevance: Older UEFI implementations relying on SMB 1.0 for network boot resources are at risk.
• Mitigation: Disable SMB 1.0 (disabled by default in Windows 10/11 and Server 2016+), and use SMB 3.x with encryption.
4. Improper Share Permissions:
• Description: Misconfigured SMB shares with overly permissive access (e.g., guest access or weak passwords) can allow unauthorized users to access or modify files.
• Impact: Attackers could alter boot images or inject malicious code into shares used for UEFI network booting.
• UEFI Relevance: UEFI systems relying on SMB shares for PXE booting are vulnerable if shares are not secured.
• Mitigation: Use strong authentication, limit share permissions, and encrypt SMB traffic.
5. SMBGhost (CVE-2020-0796):
• Description: A vulnerability in SMB 3.1.1’s compression feature, allowing remote code execution without authentication.
• Impact: Attackers could compromise servers hosting SMB shares, potentially affecting UEFI network boot environments.
• Mitigation: Apply Microsoft patches, disable SMB compression if not needed, and monitor for exploitation attempts.
6. Man-in-the-Middle (MITM) Attacks:
• Description: Attackers intercept unencrypted SMB traffic to steal credentials or modify data.
• Impact: Compromised SMB shares could deliver malicious bootloaders to UEFI systems during network booting.
• Mitigation: Use SMB 3.x with encryption, implement network segmentation, and enforce secure authentication protocols.
Security Best Practices for SMB
To mitigate SMB vulnerabilities, especially in environments where UEFI systems may interact with SMB for network booting:
1. Disable SMB 1.0: It is insecure and deprecated. Modern systems (Windows 10/11, Server 2016+) disable it by default.
2. Use SMB 3.x: Enable SMB 3.0 or 3.1.1 for encryption, signing, and improved security features.
3. Enable SMB Signing: Prevents MITM attacks by ensuring packet integrity.
4. Restrict SMB Traffic: Use firewalls to block SMB ports (445, 137-139) from external networks.
5. Strong Authentication: Use Kerberos instead of NTLM, and enforce strong passwords.
6. Patch Regularly: Apply security updates for Windows and Samba to address known vulnerabilities.
7. Secure Shares: Configure SMB shares with least-privilege access and disable guest accounts.
8. Monitor Network Traffic: Use intrusion detection systems to identify suspicious SMB activity.
9. UEFI-Specific Protections:
• Enable Secure Boot to verify the integrity of bootloaders downloaded via SMB shares.
• Use trusted PXE servers and secure protocols (e.g., HTTPS instead of SMB) for network booting.
• Regularly update UEFI firmware to patch vulnerabilities that could interact with network boot processes.