Cyber Essentials Plus: Windows SMB Version 1 (SMBv1) Detected

 

Introduction

With cyber threats constantly evolving, staying ahead of vulnerabilities is crucial. One significant, yet long-standing vulnerability relates to Windows Server Message Block Version 1 (SMBv1). This outdated protocol allows attackers to gain unauthorised access to systems, posing a serious risk to security. Cybercriminals can use this weakness to infiltrate your network, steal sensitive data, and disrupt operations. By addressing the SMBv1 vulnerability, you can safeguard your systems. In this article, we delve into the details of the SMBv1 vulnerability, advise why it matters, set out ways to fix the problem, and link it to one of the benefits of Cyber Essentials Plus testing.

 

Cyber Essentials Plus Testing

Cyber Essentials aims to prevent devices from being vulnerable to known security issues. The certification involves testing to determine whether an internet-based attacker can hack into systems using low-skill methods. It also checks devices to determine whether weaknesses exist. Qualified assessors use (specially designed) tools to carry out the Cyber Essentials Plus testing to identify and highlight these weaknesses. Findings can be extremely valuable for an organisation – an opportunity to identify and fix system weaknesses, before they can be exploited by bad actors.

 

Windows Server Message Block Version 1 (SMBv1) Explained

It’s an outdated and very insecure way for Windows to allow (network) files and folders to be shared across a network.

 

What an Attacker Can Do

Attackers can exploit the weakness to gain access to systems, execute malicious code, and spread malicious software across the network.

 

How it Works

SMBv1 enables file sharing across networks. However, due to its outdated nature, it has many security flaws that attackers can exploit to gain access to systems and execute malicious software. An example of this is the Wannacry vulnerability that caused such a devastating impact in 2017 – linked to the rapid spread of ransomware across many organisations, including the National Health Service in the UK.

 

Potential Impact

If SMBv1 is exploited, attackers can gain full control of your computer, potentially allowing them to access programs, view, change, steal, or delete data, and create new accounts.

 

Why it Matters

It’s a very serious security risk because it undermines the integrity and security of network communications. If malicious software is undetected, it can bypass security controls and cause harm to your device and data.

 

Severity

• A CRITICAL severity ranking.
• CVSSv3.1 Base score is 9.8
• The vulnerability can be used to deploy malicious software.

Fix

A change to Windows using the Control Panel.

 

Warning – Before Making Changes

Before making changes, it’s recommended to test in a non-production environment, then roll out to a production environment, creating appropriate backups (in case of any need to revert).

 

Using Control Panel

• Open Control Panel
• Navigate to > Programs and Features > Turn Windows features on or off
• Uncheck SMB 1.0/CIFS File Sharing Support
• Click OK and restart

Further Fix Options

1. Change via PowerShell
2. Change via Windows Features

 

Verification

• After disabling SMBv1, restart your computer to ensure the settings take effect.
• A vulnerability management agent and/or credentialed scan should also be able to confirm remediation.

 

How We Help

At RB Consultancy Ltd we support organisations looking to implement controls and/or certify to Cyber Essentials and Cyber Essentials Plus requirements:

• NCSC Assured Cyber Advisor – we help organisation understand and implement technical controls and provide detailed steps on how to resolve this vulnerability
• As Cyber Essentials Plus Assessor – we assess organisations against the requirements and carry out vulnerability assessments
• As Cyber Essentials Plus Certification Body – we issue organisations with certifications

 

Conclusion

Cyber Essentials Plus testing identifies critical and high-risk vulnerabilities. By making changes via the Control Panel, you should be able to effectively mitigate the SMBv1 and enhance the security of your system. Regular updates and monitoring of the system for vulnerabilities are essential when maintaining a secure environment. There is always risk when making changes – follow best practice guidance on rolling out change (reverting if needed).

 

Information sources for SMBv1 vulnerability

• https://nvd.nist.gov/vuln/detail/CVE-2017-0144
• https://techcommunity.microsoft.com/blog/filecab/stop-using-smb1/425858