Windows Server Running SMB over QUIC Leads to DoS Attack


QUIC, created by Google, is a modern transport layer protocol aimed at enhancing connection reliability and security while addressing latency and packet loss issues utilizing UDP.

Microsoft’s QUIC implementation is known as MsQuic, utilized for SMB and HTTP/3 in IIS on Windows Server 2022, with SMB over QUIC exclusive to the Azure edition.

Cybersecurity analysts at Akamai reported that threat actors actively exploit the Microsoft Windows Server 2022 vulnerability to launch DoS attacks.



Document

FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware


Microsoft Windows Server 2022 Vulnerability

QUIC employs a unique connection identifier to maintain state, enabling clients to establish multiple concurrent connections that are multiplexed for simultaneous data exchange across multiple streams.

SMB over QUIC code in srvnet.sys uses SrvNetQuicServerReceiveEvent to read and process the client’s SMB messages. While the code does the following things:-

  • Reads SMB message size
  • Allocates a buffer
  • Signals SMB layer upon successful message reception
An SMB message structure
An SMB message structure (Source – Akamai)

The vulnerability occurs when <4 bytes are received for SMB message size, causing the code to save X bytes and set PendingMessageSize to 4 – X while the subsequent packets read the remaining bytes.

The code doesn’t verify SMB message size against the maximum allowed size before allocation, enabling an attacker to bypass limits by splitting the size into two packets.

To exploit this bug for DoS, continuous triggering packets are required, but two restrictions remain, and here they are mentioned below:-

SrvNetAllocateBuffer has a strict 16 MB allocation limit.

Unauthenticated concurrent connections are limited by server RAM, capping exploitation to servers with 32 GB RAM or less.

Analysts created multiple connections to exploit it, sending two packets each to trigger a 16 MB allocation. However, repeating this leads to memory exhaustion, which causes system instability or malfunctioning.

Exploiting this needs many packets, but abusing QUIC features might reduce the packet count as the SMB over QUIC restricts simultaneous streams to one.

Researchers found multiple simultaneous streams ineffective for improving the exploit. Instead, they use one QUIC packet with multiple frames in a serial and repeating sequence.

Here below, we have mentioned the sequence:-

  • Create a stream
  • Trigger the 16 MB allocation by sending two DATA frames
  • Close the stream

To address this, researchers advise patching Windows Server since there are no other available fixes except disabling SMB over QUIC.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.



Source link