Sophos Cloud Optix
A security researcher has uncovered a serious vulnerability that affects every version of Microsoft’s Windows operating system from Windows 95 to Windows 10.
The vulnerability could give attackers a way to set up man-in-the-middle attacks against victims by getting them to click on a link, open a Microsoft Office document or plug in a USB drive.
In an interview with Dark Reading, Yang Yu, who earned a whopping $50,000 bug bounty for the discovery he’s nicknamed BadTunnel, described the impact in grandiose terms:
This vulnerability has a massive security impact – probably the widest impact in the history of Windows.
Microsoft released a fix for the vulnerability on Tuesday in security bulletin MS16-077. Users of unsupported Windows versions such as Windows XP should disable NetBIOS over TCP/IP.
The nuts and bolts of how the vulnerability works haven’t been revealed but it has been described as a technique for NetBIOS-spoofing across networks that bypasses firewalls and NAT (Network Address Translation) devices.
In other words, it can expose you to attackers who aren’t on your network, and your firewalls won’t save you, unless you block UDP on port 137 between your network and the internet.
According to Yu, it relies on a chain of elements including “a transport layer protocol, an application layer protocol, a few specific usage of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices.”
Microsoft’s bulletin appears to break the final link in the chain by fixing a vulnerability in WPAD (Web Proxy Autodiscovery Protocol) that was first reported in 2007.
WPAD is a way for computers to discover web browser configuration files automatically by searching specific addresses on a computer’s local network. An attacker who could find a way to occupy one of those addresses, or to change the addresses being searched, could supply their own configuration files and instruct the victim’s browser to route traffic through a man-in-the-middle attack.
Until BadTunnel, the attacker had to gain access to a victim’s network (or rely on opportunistic domain name collisions) which made it a difficult trick to pull off.
Yu plans to reveal the full gory details of BadTunnel in a presentation at the upcoming BlackHat conference:
This presentation will introduce a new threat model. Based on this threat model, we found a flaw in the Windows system. It affects all Windows released in the last two decades, including Windows 10. It also has a very wide range of attacks surface. The attack can be performed on all versions of Internet Explorer, Edge, Microsoft Office, many third-party software, USB flash drives, and even Web server. When this flaw is triggered, YOU ARE BEING WATCHED.
If you’ve got windows update disabled for Windows 10 prevention, which update number is it so I can just download that one.
I believe security updates are forced upon anyways. Unless you’re using some weird software to block it.
Or you’re one of the millions of people using Windows XP, which obviously isn’t supported. Those users won’t get an automatic update of any kind.
The patch for this should have been already pushed to you on Patch Tuesday, 6/14 for Win 7 systems. If you’re applying your Patch Tuesday updates in a timely manner, you should already have it. For example, for Win 7 64-bit systems it is KB3161949, and I show that it was installed on my systems. But you should check your Windows update history anyway to make sure for the KB number that corresponds to your OS.
Both you and Mark Stockley rock dude. I checked… I got it.
But wait, couldn’t you have blocked it with a paperclip, a newspaper and a stick of chewing gum?
Mark Stockley wrote “In other words, it can expose you to attackers who aren’t on your network, and your firewalls won’t save you, unless you block UDP on port 137 between your network and the internet.”
Surely all the consumer routers–even the inexpensive ones–block external access via NetBIOS over TCP/IP.
Let’s hope so. Windows File and Print services have been spilling onto the internet for a long time so you’d expect the port to be blocked as a matter of course. Not everyone has modern kit though (look no further than the continued popularity of Windows XP) and a quick search with Shodan suggests there are plenty of possible targets.
Just reading through that TechNet article. My word NetBT seems like a kludge, I’m not surprised it has holes in it…
“…and your firewalls won’t save you, unless you block UDP on port 137 between your network and the internet.” Just a tad sensationalist, don’t you think? I mean, this is what firewalls do – block traffic between networks. So your firewall will absolutely save you, with little or no negative impact on normal Internet usage – if you only take the time to configure it correctly.
I kind of assumed by that statement that it meant UDP137 outbound to the internet from your network. By default, firewalls allow all traffic out (and associated return packets) from a more trusted zone to a less trusted zone.
This whole article is quite some sensationalist journalism, it translates as “All windows can be compromised by this incredibly specific complex attack and your firewall is useless unless you use it”. That and you’d have to have a death wish to enable NetBIOS over TCP/IP it’s like Swiss cheese!
I think I may have stumbled into part of this issue back in 1998 — I was working as a network administrator and found that some of my NetBIOS data could be manipulated from the public side of the firewall. My solution was to block UDP 137 (and 8080 while I was at it; IIS at the time provided full disk access on that port by default via simple /../ paths)
But my big question is: does this affect the SAMBA implementation at all? WPAD shouldn’t be an issue, but there are possibly other similar services that could provide the same effect if implemented incorrectly by default.
“Microsoft released a fix for the vulnerability on Tuesday in security bulletin MS16-077.”
This is sort of half-useful info!
I want to know if I am secure, but Windows (W7 64HP) Update History does not refer to MS Bulletin Numbers!
So off to the MS site to discover that at first glance MS16-077 corresponds to 3165191. Only I don’t think first glance is right; read further and I need 3161949 (Knowledgebase Number – KB?).
So off to Windows Update History (Win 7 64HP) and can I “search” for it? No, it appears I have to carefully scan through the history (MK1 eyeball stuff). Fortunately I can sort by date which reduces the number of lines to check – why can’t I sort by KB Number?
Yes it is installed, but what a palaver!
Or is there an easier way?