After the inadvertent leaking of details about a wormable Windows SMBv3 RCE flaw (CVE-2020-0796) on Tuesday, Microsoft has rushed to release a patch (i.e., security updates).
The flaw affects Windows 10 (versions 1903 and 1909) and Windows Server (1903 and 1909) installations, so admins who have those in their care are urged to implement the security updates right away.
Those who can’t should at least disable SMBv3 compression, block TCP port 445 at the enterprise perimeter firewall and prevent SMB traffic from lateral connections and entering or leaving the network. Guidance on how to do that has also been provided by Microsoft.
CVE-2020-0796 PoC exploits
CVE-2020-0796, also informally dubbed SMBGhost, could be exploited in several ways.
“A network based attack can compromise any Windows computer that has file sharing enabled, whether that machine is just a standard desktop or a more robust file server,” SophosLabs researchers have pointed out.
Attackers could also set up a malicious file sharing server, trick targets into connecting it and return a malicious response to the connection request (the response can carry the exploit back to the user’s SMB client).
Finally, an inside attacker could exploit the flaw to give themselves SYSTEM privileges – after having gained code execution on the targeted machine.
SophosLabs researchers have developed a proof-of-concept exploit for this last scenario, but won’t be sharing it for the time being.
Other researchers have also created PoC code that can result in a DoS condition, and have noted that the bug was easy to discover – even though they did not have the patch to analyze and offer pointers.
Our Telltale research team will be sharing new insights into CVE-2020-0796 soon. Until then, here is a quick DoS PoC our researcher @MalwareTechBlog created. The #SMB bug appears trivial to identify, even without the presence of a patch to analyze. https://t.co/7opHftyDh0 @2sec4u pic.twitter.com/0H7FYIxvne
— Kryptos Logic (@kryptoslogic) March 12, 2020
Synacktiv’s Lucas Georges has also published an enlightening root cause analysis of the flaw.
It’s just a matter of time until attackers manage to create an exploit of their own and use it. Since there is no lack of vulnerable hosts, it could be a big problem.
Finally, while this is a big deal, I would also urge admins not to forget about the other important patches released this March 2020 Patch Tuesday.