SMB revealed a dangerous vulnerability in a massive cyberattack, that affected hundreds of thousands of people. You may not have heard of the SMB protocol but it's an integral part of how the internet operates. Luckily, there IS a way to use the SMB protocol safely. But first — what is SMB?
The Server Message Block (SMB) is a network protocol that enables users to communicate with remote computers and servers — to use their resources or share, open, and edit files. It’s also referred to as the server/client protocol, as the server has a resource that it can share with the client.
Now let's find out what is SMB port? Like any network file sharing protocol, SMB block needs network ports to communicate with other systems. Originally, it used port 139 that allowed computers to communicate on the same network. But since Windows 2000, SMB uses port 445 and the TCP network protocol to “talk” to other computers over the internet.
So what is SMB and how is it used? The SMB protocol creates a connection between the server and the client by sending multiple request-response messages back and forth.
Imagine your team is working on a large project that involves a lot of back and forth. You might want to be able to share and edit files that are stored in one place. The SMB protocol will allow your team members to use these shared files as if they were on their own hard drives. Even if one of them is on a business trip on the other side of the world, they can still access and use the data.
Let’s say that the printer in your office is connected to the receptionists’ PC. If you want to print a document, your computer (the client) sends the receptionists’ computer (the server) a request to print it and uses the SMB protocol to do it. The server will then send back a response, stating that the file is queued, printed, or that the printer ran out of magenta and is unable to perform the task.
Like any other connection, the SMB protocol needs security measures to make communication safe. At the user level, SMB authentication requires a username and password to allow access to the server. It is controlled by the system administrator, who can add or block users and keep tabs on who is allowed in.
At a share-level, users have to enter a one-time password to access the shared file or server, but no identity authentication is required.
In 1996, Microsoft tried to rename SMB to CIFS (Common Internet File System). It was an updated version of the same protocol and had additional functions, but the name didn’t stick. As a result, many still think it’s the same thing. CIFS is now only one of many dialects (variants) of SMB.
Here’re all the variants of the SMB protocol:
It’s important to know which version of the SMB protocol your device uses, especially if you own a business and have a lot of Windows machines connected to each other. It would be hard to find a PC running Windows 95 or XP (and using SMBv1) in a modern-day office, but they might still be running on old servers. Why is that important?
Is SMB secure and completely safe to use? For now, it seems so. But new vulnerabilities could pop up any day. Users who want to lower their risk can go one step further and encrypt their SMB connections. Moreover, if you’re running a Windows computer or server that still uses SMBv1, you should immediately install the update. Better yet, upgrade to a newer version of the protocol.
Unfortunately, more than a million Windows machines are still running the unpatched version of the SMBv1 protocol. Most are likely connected to a network, which makes other devices on the same network vulnerable, regardless of which SMB version they are using.
SMB has also experienced some vulnerabilities that resulted in high-profile hacking incidents. In 2017, the US National Security Agency (NSA) found a vulnerability in the SMBv1 protocol. It allowed an attacker to execute their code without the user noticing. If one device were to become infected, the hacker could gain access to the whole network and every device connected to it.
This exploit was called EternalBlue. A hacker group called the Shadow Brokers allegedly stole the information from the NSA and leaked it online in 2017. Microsoft released an update to patch the vulnerability. Unfortunately, only a month after that, the WannaCry ransomware attack broke out. The massive attack affected almost 200,000 Windows devices across 150 countries.
In 2020, two more SMB vulnerabilities were disclosed, called SMBGhost and SMBleed. SMGhost possibly spread to millions of unpatched devices, resulting in millions of dollars of losses. When combined, these vulnerabilities could provide the attacker with remote code execution privilege. It enables an attacker to run any command on a target device over a network.
SMB also doesn’t support new authentication protocols that introduce additional safety issues.
If you’re not using any applications that require SMB, it’s best to disable it altogether and protect your device from possible attacks. SMB is not enabled by default in Windows 10 from October 2017, so you only need to take action if you use an older Windows version.
Here's how NordVPN protects you while using the SMB protocol.
Remember to check which version of the SMB protocol you're using, and secure every device on your network with a VPN for stronger security. You can use NordVPN on PCs, smartphones, and routers for total network protection.