Wormable Windows SMBv3 RCE flaw leaked, but not patched
Yesterday, when Microsoft released its regular Patch Tuesday fixes, Cisco Talos and Fortinet inadvertently(?) also published information about CVE-2020-0796, a “wormable” vulnerability in the Microsoft Server Message Block (SMB) protocol that has yet to be fixed.
Cisco Talos has since removed the entry but, a few hours later, Microsoft published an advisory offering more information and workarounds to be implemented until a fix is made available.
CVE-2020-0796 is a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.
“An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client,” Microsof explained.
“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
The vulnerability is not being actively exploited and was discovered internally by Microsoft.
Unlike the Microsoft Windows SMB Server flaws used by the EternalBlue and EternalRomance exploits, which were leveraged for the 2017 WannaCry and NotPetya outbreaks, CVE-2020-0796 only affects SMBv3 and, therefore, does not affect Windows 7 and Windows Server 2008 R2 systems.
Keep calm, your Windows 7 embedded systems offering SMB over the Internet are safe 😅
As it only affects SMBv3, which reduces the previous attack surface significantly. (EternalBlue / WanaCry) https://t.co/9Mk0cC9sCl
— Florian Roth (@cyb3rops) March 11, 2020
According to Microsoft’s advisory, it affects Windows 10 (versions 1903 and 1909) and Windows Server (1903 and 1909).
What to do?
Microsoft advised admins to:
- Disable SMBv3 compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server
- Block TCP port 445 at the enterprise perimeter firewall (since it is used to initiate a connection with the affected component). This action will not stop attacks from within their enterprise perimeter.
There is currently no workaround for mitigating the danger for SMB clients.
I’d say that Microsoft will be rushing to deliver a patch soon to head off attackers who are likely already trying to unearth the flaw.
For the moment, there are no PoC exploits or full exploits available online.