Cyber Security News

Windows Server Running SMB over QUIC Let Attacker Launch DoS Attacks

QUIC, created by Google, is a modern transport layer protocol aimed at enhancing connection reliability and security while addressing latency and packet loss issues utilizing UDP.

Microsoft’s QUIC implementation is known as MsQuic, utilized for SMB and HTTP/3 in IIS on Windows Server 2022, with SMB over QUIC exclusive to the Azure edition.

Cybersecurity analysts at Akamai reported that threat actors actively exploit the Microsoft Windows Server 2022 vulnerability to launch DoS attacks.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Microsoft Windows Server 2022 Vulnerability

QUIC employs a unique connection identifier to maintain state, enabling clients to establish multiple concurrent connections that are multiplexed for simultaneous data exchange across multiple streams.

SMB over QUIC code in srvnet.sys uses SrvNetQuicServerReceiveEvent to read and process the client’s SMB messages. While the code does the following things:-

  • Reads SMB message size
  • Allocates a buffer
  • Signals SMB layer upon successful message reception
An SMB message structure (Source – Akamai)

The vulnerability occurs when <4 bytes are received for SMB message size, causing the code to save X bytes and set PendingMessageSize to 4 – X while the subsequent packets read the remaining bytes.

The code doesn’t verify SMB message size against the maximum allowed size before allocation, enabling an attacker to bypass limits by splitting the size into two packets.

To exploit this bug for DoS, continuous triggering packets are required, but two restrictions remain, and here they are mentioned below:-

SrvNetAllocateBuffer has a strict 16 MB allocation limit.

Unauthenticated concurrent connections are limited by server RAM, capping exploitation to servers with 32 GB RAM or less.

Analysts created multiple connections to exploit it, sending two packets each to trigger a 16 MB allocation. However, repeating this leads to memory exhaustion, which causes system instability or malfunctioning.

Exploiting this needs many packets, but abusing QUIC features might reduce the packet count as the SMB over QUIC restricts simultaneous streams to one.

Researchers found multiple simultaneous streams ineffective for improving the exploit. Instead, they use one QUIC packet with multiple frames in a serial and repeating sequence.

Here below, we have mentioned the sequence:-

  • Create a stream
  • Trigger the 16 MB allocation by sending two DATA frames
  • Close the stream

To address this, researchers advise patching Windows Server since there are no other available fixes except disabling SMB over QUIC.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Eswar

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.

Recent Posts

Weekly Cyber Security News Letter – Data Breaches, Vulnerability, Cyber Attack & More

On a weekly basis, the cyber security newsletter is considered an essential update on information…

5 hours ago

8.5 Million Windows Systems Hit by CrowdStrike Faulty Update – Microsoft Says!

Microsoft has revealed that a faulty software update released by cybersecurity firm CrowdStrike on July…

1 day ago

Hackers Exploits CrowdStrike Issues to Attack Windows System With RemCos Malware

On July 19, 2024, CrowdStrike identified an issue in a content update for the Falcon…

1 day ago

Alert! Hackers Exploiting CrowdStrike Issue in Cyber Attacks

Cybersecurity experts have uncovered a concerning development following the recent CrowdStrike Falcon sensor issue that…

2 days ago

10 Best Linux Firewalls In 2024

At present, many computers are connected via numerous networks. Monitoring all traffic and having something…

2 days ago

CrowdStrike Releases Fix for Updates Causing Windows to Enter BSOD Loop

CrowdStrike has issued a fix for a problematic update that caused numerous Windows systems to…

2 days ago