Microsoft Patches Wormable SMBv3 FlawSecurity Update Adds to 150 Fixes Already Issued This Month
Ready, set, patch: Microsoft on Thursday released a fix for a remote code execution vulnerability in recent versions of Windows 10 and Windows Server.
The "out of band" security update follows the usual batch of monthly security updates having already been released on Tuesday. Overall, this month's "Patch Tuesday" featured fixes for 115 different flaws.
But one additional flaw - designated critical, because it could be used by remote attackers to execute arbitrary code on vulnerable systems - came to light, apparently due to a coordination failure between Microsoft and one or more of the security business partners with which it shares advance warnings of flaws that it plans to fix.
The vulnerability, due to a flaw in the Microsoft Server Message Block 3.1.1 - SMBv3 - protocol, exists in some 32-bit and 64-bit versions of Windows 10 as well as some versions of Windows Server (see: Windows Alert: Critical SMB_v3 Flaw Requires Workaround).
"This vulnerability applies to Windows 10 (version 1903), Windows 10 (version 1909), Windows Server (version 1903) and Windows Server (version 1909)," Microsoft says. "While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to your affected devices with priority."
To eliminate the flaw on clients, Microsoft says its update, KB4551762, must be installed, even for organizations that have already put one of the server workarounds in place that the company detailed earlier this week.
Any organization using a vulnerable version of Windows 10 or Windows Server that has automatic updates enabled will automatically get the fix. But for any organization that manually manages updates, Microsoft says they must download and install the new security updates it pushed Wednesday.
"Please update ASAP or use the workaround information ... to protect your networks," tweeted Nate Warfield, a member of the Microsoft Security Research Team.
https://t.co/2IPGflplpXhttps://t.co/JDq7LShv9v— Nate Warfield (@n0x08) March 12, 2020
We just released a patch for CVE-2020-0796 and it is available via all normal channels.
Please update ASAP or use the workaround information in ADV200005 to protect your networks.
Vulnerable Servers Abound
What's the risk? On Thursday, security firm Kryptos Logic reported counting at least 48,000 vulnerable Windows Server hosts that have the flaw and are internet-connected.
We've just finished our first internet wide scan for CVE-2020-0796 and have identified 48000 vulnerable hosts. We'll be loading this data into Telltale for CERTs and organisations to action. We're also working on a blog post with more details (after patch).— Kryptos Logic (@kryptoslogic) March 12, 2020
"Less than 4 percent of publicly accessible SMB endpoints potentially have this vulnerability as it relies on specific versions of OS, so I would suggest organizations do not over-react," says British security expert Kevin Beaumont.
That said, Tal Be'ery, a security researcher at KZen, notes that if exploited, the flaw could be used at least to crash vulnerable systems by triggering the dreaded Windows "blue screen of death."
Currently no active RCE exploits reported in the wild, but BSOD (DoS) is trivial https://t.co/Fcirk8X7DV— Tal Be'ery (@TalBeerySec) March 12, 2020
One piece of good news - besides a patch now being available - is that the bug appears to be tough for hackers to exploit. "According to @zerosum0x0, a person who has analyzed WannaCry in the past, the bug is trivial to find but not so easy to exploit," Lucas George, a researcher at security firm Synacktiv, says in a blog post.
Not Patching Yet?
Until organizations install the patch, they can mitigate the flaw for servers by using a Microsoft workaround, which involves deactivating SMBv3 compression. But there are no complete workarounds for clients, meaning they remain vulnerable to exploitation until they get patched.
To partially safeguard clients, however, block TCP port 445, which "is used to initiate a connection with the affected component," Microsoft says. "Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter."
Until they patch, all organizations should ensure that they have verified that none of their systems are exposing TCP port 445 to the internet, says incident response expert David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements.
"While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to your affected devices with priority."
"In most cases, the SMB vulnerability will be limited to internal networks. However, it is key to gain assurance that you are not exposing the service to the internet," Stubley tells Information Security Media Group.
SMBv3 Flaw: Wormable
One concern with the SMBv3 flaw is that it might be exploited by attackers to build a worm that's capable of jumping directly from one infected systems to another inside corporate firewalls. That's what happened in May 2017 with WannaCry, which included the worm-like ability to move from system to system by exploiting an SMBv1 flaw known as EternalBlue, aka CVE-2017-0144.
The EternalBlue exploit tool was built by the U.S. National Security Agency, before it was somehow obtained by the Shadow Brokers gang and leaked in April 2017. Both the U.S. and U.K. governments blame North Korea for launching WannaCry, which tapped EternalBlue to enable its worm-like spreading ability.
Despite a patch having been released three years ago to fix the SMBv1 flaw targeted by EternalBlue, a significant number of Windows systems still remain vulnerable (see: Eternally Blue? Scanner Finds EternalBlue Still Widespread).
March's Patch Tuesday
The emergency SMBv3 patch follows Microsoft on Tuesday releasing 115 fixes, of which it designated 26 as being critical, 88 as important and one as being of moderate severity.
"Seven of these vulnerabilities were reported through the ZDI program," says Dustin Childs of the Zero Day Initiative bug bounty program. "None of the bugs being patched are listed as being publicly known or under active attack at the time of release. The first quarter of 2020 has certainly been a busy one for Microsoft patches. Including today's patches, there have been 265 patches in the first quarter. It will be interesting to see if this pace continues throughout the year."
The March fixes correct flaws that exist across numerous aspects of the Windows ecosystem. "Of the 26 critical vulnerabilities, 17 are for browser and scripting engines, four are for Media Foundation, two are for GDI+ and the remaining three are for LNK files, Microsoft Word and Dynamics Business," Animesh Jain of the security firm Qualys says in a blog post.
She recommends prioritizing the installation of this month's Microsoft Windows security update, the Internet Explorer security update, as well as the SMBv3 fix.
ZDI's Childs, meanwhile, warns that CVE-2020-0852, a critical Microsoft Word remote code execution vulnerability, seems destined for near-term exploitation by attackers because it works with no user interaction.
"Most code execution bugs in Office products require a user to open a specially crafted file and are thus 'important' in severity. This critical-rated Word bug requires no such user interaction," he says. "Instead, simply viewing a specially crafted file in the Preview Pane could allow code execution at the level of the logged-on user. Emailing malicious documents is a common tactic for malware and ransomware authors. Having a bug that doesn't require tricking someone into opening a file will be enticing to them."