Windows Alert: Critical SMB_v3 Flaw Requires WorkaroundMicrosoft Recommends Emergency Disabling of SMBv3 Compression, Pending Patches
Update: On Thursday, March 12, Microsoft released a patch for CVE-2020-0796 to fix the flaw on all affected clients and servers. "The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests," Microsoft says.(see Microsoft Patches Wormable SMBv3 Flaw)
Microsoft on Tuesday revealed a serious flaw in Windows SMB_v3 that could be exploited by attackers to remotely seize control of vulnerable clients and servers. No in-the-wild attacks that exploit the flaw have been seen, and details about how to exploit the flaw do not yet appear to have publicly come to light.
Short for server message block, SMB is a protocol used by Windows to share files, printers, serial ports, communications and more between systems.
While Microsoft is developing a patch for the critical vulnerability, no full fix is yet available. As a result, it recommends that all Windows administrators immediately install workarounds to prevent hackers from exploiting the flaw on SMB servers. But no such workarounds exist for SMB clients.
"Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests," Microsoft says in its security alert. "An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB server or SMB client."
The advisory adds: "You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server."
Microsoft is aware of a RCE vulnerability in the way that the SMBv3 protocol handles certain requests. If you wish to be notified when updates for this vulnerability are available, please follow the guidance in the advisory linked here: https://t.co/x5Z658xQ6t— Security Response (@msftsecresponse) March 10, 2020
The flaw exists in all versions of Windows 10 as well as Windows Server Core, builds 1903 and 1909. It's not clear if any no-longer-supported versions of Windows might also be affected.
"To exploit the vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against an SMB client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it," Microsoft says.
Fortinet's FortiGuard Labs notes in a vulnerability alert that the flaw involves "a buffer overflow vulnerability in Microsoft SMB servers" that exists "due to an error when the vulnerable software handles a maliciously crafted compressed data packet."
Microsoft has also released guidance on how to configure firewalls to help mitigate attempts to target SMB.
But the company has issued no timeline for when patches will be available to protect SMB_v3 clients and servers.
Adding cause for concern: The flaw could be targeted via a worm, meaning that malware could spread directly from one infected system to another across an internal network.
Microsoft Describes 'Best Defense'
To safeguard clients against internet-borne attacks, the "best defense" is to block TCP port 445, which "is used to initiate a connection with the affected component," Microsoft says. "Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter."
All organizations should immediately review whether any of their systems are exposing TCP port 445 to the internet, says incident response expert David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements.
"In most cases the SMB vulnerability will be limited to internal networks. However, it is key to gain assurance that you are not exposing the service to the internet," Stubley tells Information Security Media Group.
"The advisory from Microsoft provides a timely reminder that organizations should have a robust vulnerability management program that not only reacts to patches becoming available, but also workaround advisories to mitigate exposure," he says (see: Patch or Perish: VPN Servers Hit by Ransomware Attackers).
How prevalent is the flaw? In terms of clients, that is not yet clear. But security firm Kryptos Logic says that based on its internet scans, it's counted about 48,000 vulnerable servers.
We've just finished our first internet wide scan for CVE-2020-0796 and have identified 48000 vulnerable hosts. We'll be loading this data into Telltale for CERTs and organisations to action. We're also working on a blog post with more details (after patch).— Kryptos Logic (@kryptoslogic) March 12, 2020
Uncoordinated Vulnerability Disclosure
While Microsoft typically groups security alerts and patches into batches that it releases on the second Tuesday of every month - aka "Patch Tuesday" - details of this particular flaw appear to have been accidentally disclosed via Cisco Talos, which referenced the flaw in a Tuesday blog post as being CVE-2020-0796, before taking the post down.
What accounts for the coordinated vulnerability disclosure blunder? Security experts say that Microsoft may have planned to patch the flaw this month, before delaying the fix, while failing to properly communicate the change of plan to business partners.
The researchers known as Malware Hunter Team, among others, began referencing the flaw as SMBGhost, since the existence of the flaw was originally in question.
Some people wants to be cool and name it with including the word "corona" in it.— MalwareHunterTeam (@malwrhunterteam) March 10, 2020
We recommend to use SMBGhost name for it - SMB is obviously for what, Ghost because "it not exists".
After some initial confusion, details subsequently came to light, however, with Microsoft confirming the vulnerability later on Tuesday.
Flashback: WannaCry and Eternal Blue
If the SMB_v3 worm worries sound familiar, it might be because the outbreak of WannaCry ransomware that began in May 2017 included the worm-like ability to move from system to system by exploiting an SMB_v1 flaw known as EternalBlue, aka CVE-2017-0144.
Recap: The U.S. National Security Agency developed the EternalBlue exploit tool, which was somehow obtained - and later leaked - by the Shadow Brokers gang in April 2017. The designers of WannaCry - the U.S. and U.K. governments blame North Korea - used EternalBlue to give WannaCry its worm-like capability to spread from device-to-device.
WannaCry's rapid spread pointed to widespread corporate patch management deficiencies, since Microsoft had released patches for EternalBlue before the ransomware appeared. Even now, a significant number of Windows systems remain vulnerable to EternalBlue (see: Eternally Blue? Scanner Finds EternalBlue Still Widespread).