4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
0.004 Low
EPSS
Percentile
73.7%
Software running on Microsoft Windows that utilizes HTTP requests can be forwarded to afile://
protocol on a malicious server, which causes Windows to automatically attempt authentication via SMB to the malicious server in some circumstances. The encrypted form of the user’s credentials are then logged on the malicious server. This vulnerability is alternatively known as “Redirect to SMB”.
CWE-201: Information Exposure Through Sent Data
Many software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server. If the redirect is a file://
URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim’s user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be “brute-forced” to break the encryption.
The following Windows API functions (available via urlmon.dll
) have been identified as being affected:
* `URLDownloadA`
* `URLDownloadW`
* `URLDownloadToCacheFileA`
* `URLDownloadToCacheFileW`
* `URLDownloadToFileA`
* `URLDownloadToFileW`
* `URLOpenStream`
* `URLOpenBlockingStream`
urlmon
uses the wininet
library for processing, therefore the affected functionality may be contained within wininet
; it is currently not clear where the vulnerability lies. Internet Explorer and the WebBrowser component of .NET have also be reported vulnerable to this SMB redirection. For a longer description with more examples, see Cylance’s blog on the issue.
An attacker exploiting this vulnerability may obtain the victim’s user credentials in an encrypted format.
The CERT/CC is currently unaware of a full solution to this problem. However, affected users may consider the following workarounds.
Block outbound SMB
Consider blocking outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN.
Update NTLM group policy
This attack may be mitigated in some circumstances by restricting NTLM via appropriate Group Policy. See reference one and reference two from Microsoft.
Do not use NTLM for authentication by default in applications
Developers should ensure their software complies with appropriate Group Policy and does not use NTLM for authentication by default.
Use a strong password and change passwords frequently
Since the credentials are provided to the attacker in encrypted form, a stronger password may require more time to break the encryption. Changing passwords regularly further deters brute-force attacks against the encryption.
672268
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: March 24, 2015 Updated: April 01, 2015
Statement Date: April 01, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 24, 2015 Updated: September 05, 2017
Affected
We have not received a statement from the vendor.
It has been reported to us that CVE-2017-3085 is a form of Redirect to SMB affecting Flash Player. Adobe’s security advisory recommends upgrading Flash Player to at least 26.0.0.151, which has addressed the issue.
Notified: March 11, 2015 Updated: April 01, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 24, 2015 Updated: April 01, 2015
Statement Date: March 31, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 24, 2015 Updated: March 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 14, 2015 Updated: April 14, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
According to the reporter, the Box Sync client may be vulnerable in certain circumstances if the user accepts an SSL prompt. CERT/CC has been unable to confirm this so far.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23672268 Feedback>).
Notified: March 24, 2015 Updated: March 24, 2015
Unknown
We have not received a statement from the vendor.
Updated: April 13, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
The GitHub for Windows installer has been reported to be affected by this vulnerability.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23672268 Feedback>).
Updated: April 13, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
GoPro Studio has been reported to be affected by this vulnerability.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23672268 Feedback>).
Updated: April 13, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
The following software was reported to CERT/CC to be vulnerable; this information has not been verified yet:
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23672268 Feedback>).
Notified: April 17, 2015 Updated: April 17, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 17, 2015 Updated: April 17, 2015
Unknown
We have not received a statement from the vendor.
View all 12 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 6.3 | AV:N/AC:M/Au:S/C:C/I:N/A:N |
Temporal | 5.7 | E:F/RL:W/RC:C |
Environmental | 5.7 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
Thanks to Brian Wallace of Cylance, Inc., for reporting this vulnerability.
This document was written by Garret Wassermann.
CVE IDs: | None |
---|---|
Date Public: | 2015-04-13 Date First Published: |
blog.cylance.com/redirect-to-smb
blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx
cwe.mitre.org/data/definitions/201.html
insecure.org/sploits/NT.NTLM.auto-authentication.html
insecure.org/sploits/win95.smb.auto-auth.html
insecure.org/sploits/winnt.automatic.authentication.html
msdn.microsoft.com/en-us/library/aa939357%28v=WinEmbedded.5%29.aspx
msdn.microsoft.com/en-us/library/ms775122%28v=vs.85%29.aspx
msdn.microsoft.com/en-us/library/ms775123%28v=vs.85%29.aspx
msdn.microsoft.com/en-us/library/windows/desktop/aa385483%28v=vs.85%29.aspx
technet.microsoft.com/en-us/library/jj865668(v=ws.10).aspx
technet.microsoft.com/en-us/library/jj865676(v=ws.10).aspx
technet.microsoft.com/en-us/library/security/973811.aspx
technet.microsoft.com/en-us/library/security/974926.aspx
technet.microsoft.com/library/jj852213(v=ws.10).aspx
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
0.004 Low
EPSS
Percentile
73.7%