VE-2020-0796 affects version 3.1.1 of Microsoft’s SMB file-sharing system and was not included in Patch Tuesday, but patched the following day.
Microsoft released an emergency out-of-band patch to fix a SMBv3 wormable bug on Thursday that leaked earlier this week. The a patch for the vulnerability, tracked as CVE-2020-0796, is now rolling out to Windows 10 and Windows Server 2019 systems worldwide, according to Microsoft.
On Wednesday Microsoft warned of a wormable, unpatched remote code-execution vulnerability in the Microsoft Server Message Block protocol – the same protocol that was targeted by the infamous WannaCry ransomware in 2017. Microsoft released its fix, KB4551762, the following day as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).
The critical bug affects Windows 10 and Windows Server 2019, and was not included in Microsoft’s Patch Tuesday release this week.
The bug can be found in version 3.1.1 of Microsoft’s SMB file-sharing system. SMB allows multiple clients to access shared folders and can provide a rich playground for malware when it comes to lateral movement and client-to-client infection. This was played out in version 1 of SMB back in 2017, when the WannaCry ransomware used the NSA-developed EternalBlue SMB exploit to self-propagate rapidly around the world.
In this case, “to exploit the vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server,” Microsoft explained in its advisory, issued Wednesday. “To exploit the vulnerability against an SMB client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.”
Microsoft issued its advisory only after details of the bug were published online by Cisco Talos and Fortinet. The firms’ disclosure was an apparent miscommunication with Microsoft – both posts have since been taken down.
According to Duo Security, Fortinet had described the issue as a “Buffer Overflow Vulnerability in Microsoft SMB Servers” and said it could be used to execute arbitrary code within the context of the application. Cisco Talos meanwhile warned that a “wormable” attack would be able to exploit the vulnerability to “move from victim to victim.”
Threatpost reached out to both firms for additional details. Cisco Talos told Threatpost, “On March 10, information on an in-process effort was inadvertently posted and then promptly deleted from the Talos blog because it was not finalized. As a matter of policy, we do not discuss research that has not yet been approved for public disclosure. We are aware that this may have caused some confusion and will follow up when we have more to offer.”
While the bug is dangerous, researchers said this bug likely won’t lead to “WannaCry 2.0.”
“Considering that SMBv3 is not as widely used as SMBv1, the potential immediate impact of this threat is most likely lower than past vulnerabilities,” Richard Melick, senior technical product manager at Automox, told Threatpost. “But that does not mean organizations should be disregarding any endpoint hardening that can happen now while Microsoft works on a patch…it’s better to respond today and disable SMBv3 and block TCP port 445. Respond now and vulnerabilities end today.”
Jake Williams, founder of security firm Rendition Security, said on Twitter that the risk of exploitation is mitigated by kernel protections – specifically kernel address space layout randomization (KASLR). KASLR randomly arranges the address space positions of key data areas of a given process. It essentially means that an attacker can’t establish one attack path and use it over and over again.
“Core SMB sits in kernel space and KASLR is great at mitigating exploitation,” tweeted Williams. “Assuming this is kernel space, any unsuccessful exploitation results in [the blue screen of death] BSOD.” He added, “Even with trigger code, you still have to remotely bypass KASLR (not an easy task). If you need proof, look at BUCKEYE. They had the EternalBlue trigger, but had to chain it with another information disclosure vulnerability to gain code execution. This isn’t easy.”
So far, there’s no evidence that the vulnerability had been exploited in the wild, Microsoft said in the advisory. However, Melick said to proceed with caution.
“There are still too many unknowns to say how effective this wormable vulnerability could be; is it going to be as easy as EternalBlue to implement or will it have the same difficulties as BlueKeep?” Melick noted – the latter in reference to the wormable bug disclosed last year that some feared would lead to another WannaCry-level event. Exploits for BlueKeep however have so far fallen well short of researchers’ initial fears.
In lieu of a patch, Microsoft on Wednesday noted that administrators can use PowerShell to disable SMBv3 compression, which will block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server.
To protect clients from outside attacks, it’s necessary to block TCP port 445 at the enterprise perimeter firewall.
“TCP port 445 is used to initiate a connection with the affected component,” Microsoft noted. “Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid internet-based attacks.”
However, systems could still be vulnerable to attacks from within the enterprise perimeter – so once attackers penetrate the corporate network, they could use an exploit to move around in an unfettered way. Microsoft has published general guidelines to prevent lateral connections.