tenable:57608 · SMB Signing not required

01 · The Real Story

This is a side door that only matters after the intruder is already in the hallway

Tenable plugin 57608 is not a software bug so much as a trust-setting problem: the remote SMB server will accept sessions where SMB signing is not required. That matters because unsigned SMB is relay-friendly; an attacker can tamper with or relay authentication traffic instead of being forced to prove message integrity. In practice this affects Windows and Windows Server systems where inbound RequireSecuritySignature is 0, plus Samba and many NAS appliances where server signing is not set to mandatory or equivalent. Newer Microsoft defaults reduce exposure on fresh Windows 11 24H2 and Windows Server 2025 builds, while domain controllers have long required signing by default.

Tenable's MEDIUM label is technically fair in the abstract but operationally inflated for enterprise prioritization. The plugin description says 'unauthenticated, remote attacker,' but the real attack path usually requires internal network position or on-path access, a coerced or poisoned NTLM authentication event, and a target that both allows unsigned SMB and receives a relayed identity with useful privileges. That combination makes this a classic post-initial-access amplifier, not a clean external foothold, so it scores lower than the vendor baseline even though the downstream blast radius can be ugly in flat networks.

"Useful to attackers already inside your network, but not a Monday-morning fire drill"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Gain an internal relay position

The attacker first needs to sit on the same internal network path or otherwise become reachable as a relay endpoint. In real operations this is commonly done after phishing, VPN compromise, rogue device placement, or an already-owned workstation. Tooling such as Responder or other LLMNR/NBNS poisoning infrastructure is typically used to attract NTLM authentication on internal segments.

Conditions required:

Attacker already has internal network access or an on-path position
East-west SMB traffic is reachable from the attacker's segment
Name resolution poisoning or authentication coercion is possible

Where this breaks in practice:

This is not a direct internet exploit; it assumes prior network access
Segmented networks, NAC, and client isolation reduce reachable hosts
Modern environments disabling LLMNR/NBNS or heavily favoring Kerberos reduce setup success

Detection/coverage: Vulnerability scanners can identify signing-not-required, but they do not validate whether the attacker can actually obtain relayable authentication on that segment.

STEP 02

Capture or coerce NTLM authentication

Once positioned, the attacker needs a user or machine to authenticate over NTLM in a way that can be relayed. Common offensive chains use Responder for poisoning or coercion techniques that trigger outbound authentication from Windows systems. The captured handshake is only useful if the target service accepts relayed NTLM and the client-server protection stack does not block it.

Conditions required:

Victim client or server emits NTLM authentication
Kerberos is not used end-to-end for the transaction
No control such as EPA or signing blocks the relay path

Where this breaks in practice:

Kerberos-first environments shrink the pool of relayable traffic
User behavior and host naming patterns affect how often poisonable lookups occur
SMB encryption or EPA on the target can break otherwise valid relay attempts

Detection/coverage: Look for suspicious name-resolution traffic, unexpected WPAD/LLMNR/NBNS patterns, and NTLM authentications sourced from unusual internal hosts.

STEP 03

Relay to an SMB server that does not require signing

The attacker then points the captured authentication at a host matching this finding. ntlmrelayx is the standard weaponized tool here; if the server does not require SMB signing, the relayed session can be accepted. This is the exact place where plugin 57608 matters: it removes one protocol-level control that would otherwise shut the door.

Conditions required:

Target SMB server accepts connections without required signing
NTLM relay to SMB is permitted by the service and network path
The relayed identity is allowed to authenticate to the host

Where this breaks in practice:

Domain controllers already require SMB signing by default
Windows 11 24H2 and Windows Server 2025 increasingly require signing by default
Third-party SMB stacks vary; some NAS appliances still lag, others now enforce stronger defaults

Detection/coverage: This is usually found well by Nessus/Tenable and by nmap --script smb2-security-mode; coverage is strong for the config state itself.

STEP 04

Turn the relayed session into impact

A successful relay is only valuable if the relayed account has meaningful rights on the target. With admin-equivalent access, operators can pivot to lateral movement, service creation, remote command execution, or credential access using the broader Impacket toolchain. Without useful privileges, the attack often stalls at mere authentication.

Conditions required:

Relayed account has local admin, share write, or other privileged access
Target allows follow-on actions over SMB/WMI/related management channels
EDR or hardening policies do not block the post-authentication action

Where this breaks in practice:

Least privilege drastically limits payoff even after a successful relay
EDR, application control, remote service restrictions, and admin tiering can stop the next step
Many relays authenticate successfully but do not translate into code execution

Detection/coverage: Watch for remote service creation, abnormal SMB admin-share access, wmiexec-style behavior, and lateral movement telemetry immediately following unusual NTLM traffic.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No CVE/KEV-style tracking exists for this specific finding, but the technique is absolutely real: MITRE ATT&CK maps `Impacket` to Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay.
Proof-of-concept availability	Commodity offensive tooling is mature and ubiquitous: `Responder` for poisoning and `Impacket/ntlmrelayx` for relay operations. This is not theoretical.
EPSS	Not applicable. This is a configuration finding, not a CVE with an EPSS record.
KEV status	Not listed in CISA KEV; there is no CVE identifier for Tenable plugin `57608` itself.
Vendor CVSS	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N` (`5.3`, Medium). That vector assumes network reachability but does not capture the real prerequisite of an on-path/internal relay position.
Affected versions / platforms	Any SMB server that does not require signing: Windows/Windows Server with inbound `RequireSecuritySignature=0`, Samba with `server signing` not `mandatory`, and many legacy/third-party NAS or appliance SMB stacks.
Fixed state	There is no vendor patch version for the finding itself; the secure state is requiring SMB signing, enabling an equivalent protective control such as SMB Server EPA, or using newer Microsoft builds where signing is mandatory by default.
Default posture trend	Microsoft has moved the market here: Windows 11 24H2 and Windows Server 2025 require inbound and outbound SMB signing by default, which materially reduces future prevalence on fresh builds.
Scanning / exposure reality	This is primarily an east-west internal exposure. If TCP/445 is internet-facing, that separate exposure decision is the bigger problem; plugin `57608` mostly matters once an attacker is already inside.
Disclosure / reporting	Tenable published plugin `57608` on 2012-01-19 and lists the vulnerability publication date as 2012-01-17.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.4/10)

The decisive factor is attacker position requirement: this finding is rarely a clean external exploit and usually needs an internal or on-path relay setup first. That makes it a post-compromise force multiplier rather than a front-door compromise path, which pushes it below the vendor's generic MEDIUM rating for patch-priority purposes.

HIGH Downgrade from vendor Medium to operational Low

MEDIUM Population estimate across mixed Windows, Samba, and NAS fleets

Why this verdict

Requires prior foothold or on-path access: the attacker usually needs internal network reachability, name-resolution poisoning, or coercion capability before SMB signing weakness becomes usable.
The reachable population is narrower than the CVSS implies: domain controllers already require signing, and newer Microsoft defaults in Windows 11 24H2 / Server 2025 reduce prevalence on modern builds.
Impact depends on a second success condition: even after a successful relay, the relayed identity still needs useful privileges on the target before this becomes meaningful lateral movement.

Why not higher?

It is not higher because the chain is conditional at multiple points: internal position, relayable NTLM traffic, a server that accepts unsigned SMB, and a privileged relayed identity. Break any one of those and the attack dies. That is too much real-world friction for a HIGH or CRITICAL patching signal.

Why not lower?

It is not IGNORE because relay tooling is mature, common, and still productive in flat enterprise networks and legacy NAS estates. If you are cleaning up AD-adjacent hardening debt, this setting is a real weakness worth fixing; it just should not outrank remotely exploitable pre-auth bugs.

05 · Compensating Control

What to do — in priority order.

Require SMB signing on servers — Set Windows inbound RequireSecuritySignature=1 or the Samba/NAS equivalent so ntlmrelayx-style SMB relay fails at the protocol layer. For a LOW verdict there is no SLA; treat this as backlog hygiene and roll it out during normal hardening cycles, starting with file servers, management jump hosts, and any host reachable across user VLANs.
Audit compatibility before enforcement — Use Microsoft SMB signing audit events and pilot GPOs to find legacy clients, NAS devices, and third-party SMB stacks that will break when signing becomes mandatory. For a LOW verdict there is no SLA; do this as part of your baseline modernization work rather than emergency response.
Reduce NTLM relay opportunities — Disable LLMNR/NBNS/WPAD where possible, prefer Kerberos, and tighten NTLM usage so attackers struggle to obtain relayable authentications in the first place. For a LOW verdict there is no SLA; prioritize high-value internal segments and admin workstations first.
Use EPA or SMB encryption where supported — Microsoft explicitly calls out SMB Server EPA and globally enforced SMB encryption as protective against this class of relay attack. For a LOW verdict there is no SLA; apply during platform refreshes and to sensitive file services first.

What doesn't work

EnableSecuritySignature by itself on SMB2+ is not enough; Microsoft states the setting is effectively ignored unless SMB1 is involved, so required signing is what matters.
Perimeter firewalls do not solve the core problem because the dominant risk is internal east-west relay, not direct internet exploitation.
Password complexity alone does not stop NTLM relay; the attacker is forwarding a valid authentication exchange, not brute-forcing a password.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or jump box that can reach the target over TCP/445; it does not need admin rights on the remote host, but it does require nmap with the smb2-security-mode NSE script installed. Invoke it exactly as ./check-smb-signing.sh 10.0.0.25 or ./check-smb-signing.sh fileserver.example.com.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-smb-signing.sh
# Exit codes:
#   0 = PATCHED (SMB signing required)
#   1 = VULNERABLE (SMB signing enabled but not required, or disabled)
#   2 = UNKNOWN (host unreachable, nmap missing, parse failure)

set -u

TARGET="${1:-}"

if [[ -z "$TARGET" ]]; then
  echo "Usage: $0 <ip-or-hostname>"
  echo "UNKNOWN"
  exit 2
fi

if ! command -v nmap >/dev/null 2>&1; then
  echo "nmap not found in PATH"
  echo "UNKNOWN"
  exit 2
fi

OUT="$(nmap -Pn -n -p 445 --script smb2-security-mode "$TARGET" 2>/dev/null)"
RC=$?
if [[ $RC -ne 0 || -z "$OUT" ]]; then
  echo "nmap scan failed or returned no output"
  echo "UNKNOWN"
  exit 2
fi

# If 445 is closed/filtered, we cannot determine signing state.
if echo "$OUT" | grep -Eiq '445/tcp\s+closed|445/tcp\s+filtered|445/tcp\s+host-unreach|0 hosts up'; then
  echo "SMB port 445 not reachable"
  echo "UNKNOWN"
  exit 2
fi

# Nmap NSE commonly reports one of these strings.
if echo "$OUT" | grep -Fqi 'Message signing enabled but required'; then
  echo "PATCHED"
  exit 0
fi

if echo "$OUT" | grep -Fqi 'Message signing enabled but not required'; then
  echo "VULNERABLE"
  exit 1
fi

if echo "$OUT" | grep -Fqi 'Message signing disabled'; then
  echo "VULNERABLE"
  exit 1
fi

# Fallback: if script output is missing but SMB is open, verdict is uncertain.
echo "Could not confidently parse SMB signing state"
echo "UNKNOWN"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not let this outrank remotely exploitable pre-auth issues. For a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA; treat it as backlog hygiene and fold it into your normal hardening program, starting with Windows file servers, third-party NAS, and any internal admin-accessible systems where NTLM relay would create lateral movement. If any affected host also exposes TCP/445 to untrusted networks, handle that exposure immediately while you schedule SMB-signing enforcement through standard change control.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.