Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Protect Yourself against SMB Reflection Attacks

Subscribe

Check Point Reference: SBP-2008-12
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS08-068
Industry Reference(s): CVE-2008-4037
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
VSX
  • NGX R65
InterSpect
  • NGX
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Microsoft Windows 2000 SP4
Windows XP SP2
Windows XP SP3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP1
Windows Server 2003 SP2
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition SP2
Windows Server 2003 with SP1 (Itanium)
Windows Server 2003 with SP2 (Itanium)
Windows Vista
Windows Vista SP1
Windows Vista x64 Edition
Windows Vista x64 Edition SP1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 (Itanium)
Vulnerability Description
A reflection attack is a method of attacking a challenge-response authentication system that uses the same protocol in both directions; the same challenge-response protocol is used by each side to authenticate the other side.
SMB reflection attacks is a type of "Man-in-the-Middle" (MITM) attack in which an attacker reflects the clients SMB challenge back to the client and by that bypass security, allowing the attacker to execute code in the context of the logged-on user.

A remote code execution vulnerability has been reported in the way that Microsoft Server Message Block (SMB) Protocol handles NTLM credentials when a user connects to an attacker's SMB server. This vulnerability allows an attacker to replay the user's credentials back to them, creating an SMB reflection attack.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS08-068
Vulnerability Details
Microsoft Server Message Block (SMB) Protocol is a Microsoft network file sharing protocol. The SMB protocol does not correctly validate specific parameters within the SMB connection to ensure that a user's credentials are not reflected back and used against the user. An attacker who successfully executed an SMB reflection attack could take complete control of an affected system.

Protection Overview
By enabling this protection, SmartDefense will detect and block SMB reflection attacks.

In order for the protection to be activated, update your VPN-1 product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Microsoft Networks > Block SMB Reflection Attacks.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Windows SMB Protection Violation
Attack Information: SMB reflection attack

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Microsoft Networks.
2. Select the following protection:

Block SMB Reflection Attacks

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Windows SMB Protection Violation
Attack Information: SMB reflection attack

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Microsoft Networks > Block SMB Reflection Attacks.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Windows SMB Protection Violation
Attack Information: SMB reflection attack

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > Microsoft Networks.
3. Select the following protection:

Block SMB Reflection Attacks

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Windows SMB Protection Violation
Attack Information: SMB reflection attack

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Network Security > SMB, and select the SMB Reflection Monitor protection group.
3. Click SMB Reflection Detected (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: SMB Reflection Monitor
Description: SMB Reflection Detected