Microsoft Discloses New Remote Execution Flaw in SMBv3
A patch for the flaw is not yet available, but there are no known exploits -- so far.
March 11, 2020
Among the more critical vulnerabilities that Microsoft disclosed yesterday was one that ironically was not included in its scheduled Patch Tuesday update and for which a patch is still not available.
The vulnerability exists in Microsoft's Server Message Block (SMB) protocol (SMBv3) and has prompted some concern about threat actors potentially using it to launch "wormable" exploits of the WannaCry variety.
The flaw is remotely executable. It allows attackers to gain complete control of vulnerable systems and execute arbitrary code on them within the context of the application, according to Fortinet, one of those that warned of the issue Tuesday.
A Microsoft advisory described the vulnerability as being of critical severity and impacting multiple versions of Windows 10 and Windows Server. "To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it," Microsoft said.
Since no patch is currently available for the flaw, Microsoft is recommending organizations disable SMBv3 compression so unauthenticated attackers are prevented from exploiting the vulnerability. However, that particular workaround does not protect SMB clients against exploitation. For that Microsoft is recommending organizations block TCP port 445 at the enterprise firewall.
"Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability," the company said, though they would still remain vulnerable to attacks from inside the perimeter.
Microsoft is urging all organizations to install updates for the vulnerability as soon as possible after they become available, even those organizations that have implemented the recommended workarounds.
No exploit for the vulnerability is known to be current available. Even so, organizations with exposed SMB services — typically port 445 — are at immediate risk, says Jonathan Knudsen, senior security strategist at Synopsys.
The SMB protocol allows Windows systems to share files printers, for example. Organizations often leave the service enabled on Internet-connected systems, giving attackers a potential entryway to their networks. In recent years, attackers have used exploits like the NSA-developed EternalBlue to spread malware via one vulnerable system to the next in a very effective fashion.
"To mitigate this risk, they should either disable the service altogether or follow Microsoft's advice to disable compression until a fix is available," Knudsen says. "Client computers will be vulnerable until a fix is available, so concerned organizations should curtail or discontinue their use of SMB until that point."
Unexpected Disclosure
Microsoft declined to comment to Dark Reading on why the vulnerability was not disclosed with all the other bugs in the Patch Tuesday update or to provide any other details besides what's contained in the security advisory.
Some, though, suggest Microsoft might have been forced to issue the advisory after a couple of security vendors — Cisco Talos and Fortinet — inadvertently disclosed details of the flaw this week. According to Duo Security, which is also part of Cisco, Microsoft shares information about its security updates with antivirus companies, hardware vendors, and other trusted third parties.
It's possible that Cisco Talos and Fortinet had information about the SMBv3 issue and released it thinking it would be part of the Patch Tuesday release, the vendor said in a blog. "While Cisco Talos and Fortinet have updated their advisories to remove references to the vulnerability, enough people saw the descriptions," Duo said. According to Duo, the two vendors identified the vulnerability as CVE-2020-0796 though Microsoft itself did not refer to a CVE identifier in its security advisory.
A Fortinet brief described the vulnerability as a buffer overflow issue in SMB server. "The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet," the security vendor said in urging organizations to apply Microsoft's update as soon as it becomes available.
"Ideally, a coordinated disclosure timeline would have researchers disclosing the vulnerability to the vendor, the vendor creating and publishing a fix, and then a coordinated public disclosure of the vulnerability," Knudsen says. "For whatever reason, that process appears to have gone awry in this case."
Thomas Hatch, CTO and co-founder at SaltStack, says news of the latest flaw highlights the need for organizations to properly secure SMB services. "SMB, like many such services, should never be exposed to the outside Internet. This is typically how these types of vulnerabilities get exploited," he says.
Also, given the prevalence of SMB, if an exploit is made public, it could prove to be a large issue for companies to deal with, cautions Charles Ragland, security engineer at Digital Shadows. In addition to Microsoft's recommended actions, organizations should follow security best practices.
"Disable unnecessary services, block ports at the firewall, and ensure that host based measures are in place to prevent users from accessing/modifying security controls," Ragland says.
Related Content:
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."
About the Author
You May Also Like