SMB can be used to deanonymize Internet users
A blog post written by ValdikSS explains how an attacker can use Windows's built-in function "Server Message Block" (SMB) to capture the NTLM hash of a user as well as the email address associated with the current account.
This method is not exactly new, but what the author highlights are the privacy implications. It is therefore possible to only visit one page and then, without your knowledge, send personal information to another domain.
To sum up the vulnerability:
- It only works in Windows
- You must use Internet Explorer or Edge to make it work automatically
- It works in Chrome and Firefox, but then you have to manually visit an address by typing it into the address bar
We at OVPN were contacted before the article was published so we had time to fix this. However, it turns out to be easier said than done. This is because the only solution is to block three ports on all of our VPN servers. In addition, these ports can be used legitimately by our users. We have discussed this problem internally and have come to the conclusion that it is best that we clarify how customers can protect themselves, instead of blocking ports on our VPN servers.
We recommend that Windows users apply a Regedit file to fix this problem. This is very simple, all you have to do is save this content:
Windows Registry Editor Version 5.00 [HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] "RestrictReceivingNTLMTraffic"=dword:00000002 "RestrictSendingNTLMTraffic"=dword:00000002
in a file named "fix.reg". Then double-click the file and press "OK" if UAC asks you to approve the action.
To test that it works, you can visit the page here: http://witch.valdikss.org.ru/ - However, we would like to warn you not to visit the site as it sends your private email as well as NTML hash to an outside domain. Just in case, you can visit the page after you have applied the above fix.
We will include this fix into our client in the near future, but until then you should apply the patch manually.