Due to an apparent error in the Microsoft Patch Tuesday vulnerability disclosure process, news of an unpatched, critical Microsoft Server Message Block vulnerability has leaked to the public. If exploited, the bug could result in a wormable remote code execution attack on a targeted SMB server or client.
Designated CVE-2020-0796, the flaw pertains to how the Microsoft SMB 3.1.1 (or SMBv3) protocol handles certain requests. Microsoft yesterday, in a security advisory that was not officially part of the company’s Patch Tuesday announcements, acknowledged the existence of the bug.
“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server,” the advisory states. “To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
Microsoft’s acknowledgment came after at least two cyber companies — Fortinet and Cisco Talos — posted information about the flaw that they were privy to, as part of their Patch Tuesday coverage, despite the fact that Microsoft never publicly disclosed the bug. It is unknown why CVE-2020-0796 didn’t make the cut when Microsoft’s posted its monthly security updates — but the lack of a fix is certainly one possible reason.
FortiGuard Labs, the research arm of Fortinet, categorized the vulnerability as a buffer overflow, “due to an error when the vulnerable software handles a maliciously crafted compressed data packet.” Talos reportedly removed its write-up of CVE-2020-0796 from its Patch Tuesday update, although it can be viewed on a cached webpage.
Microsoft listed the affected products as Windows 10 Version 1903 for 32-bit Systems, x64-based Systems and ARM64-based Systems; Windows Server version 1903 (Server Core installation); Windows 10 Version 1909 for 32-bit Systems, x64-based Systems and ARM64-based Systems; and Windows Server version 1909 (Server Core installation).
Although there is no patch, there is a workaround: users can disable SMBv3 compression. Fortinet and Talos also advised blocking TCP port 445. “Microsoft cautions that these fixes only prevent potential exploitation server side, and will not protect vulnerable SMB clients, noted Satnam Narang, principal research engineer at Tenable, in emailed comments. “At this point, organizations would be wise to review and implement the workarounds Microsoft has provided and begin prioritizing patch management for the flaw once patches are released.”
While the existence of the vulnerability is now public knowledge, no proof-of-concept exploit has been leaked.
Reportedly, some in the cyber research community are referring to the flaw as SMBGhost and EternalDarkness, the latter name an allusion to EternalBlue, an SMB flaw in SMBv1 that was a favorite exploit vector of attackers and was used in the WannaCry ransomware attacks.
