Don’t Panic: Potentially wormable flaw only present in latest systems

Microsoft released an out-of-band security update to patch a remote code execution (RCE) vulnerability impacting Server Message Block (SMB) on Thursday, just two days after its regular Patch Tuesday releases.

The software vendor was obliged to rush out a fix after security partner inadvertently disclosed details of the flaw, which is of a type previously exploited by high-profile threats such as the WannaCry worm.

If left unaddressed, the vulnerability (CVE-2020-0796) in Microsoft SMB 3.1.1 (SMBv3) could be exploited by a remote attacker to plant malicious code on vulnerable systems.

Exploitation would involve sending a specially crafted, compressed data packets to a targeted SMBv3 server.

The flaw stems from bugs in how “Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests”, an advisory from Microsoft explains.

New flaws on the Block

SMB is a networking protocol that’s used for sharing access to file and printers. The same protocol that was vulnerable to the EternalBlue (CVE-2017-0144) exploit harnessed by the infamous the WannaCry ransomware.

The vulnerability exists in a new feature that was added to Windows 10 version 1903, so older versions of Windows do not support SMBv3.1.1 compression are immune from the security flaw.

Both Windows 10 clients and Windows Server, version 1903 and later, need patching

Preliminary scans by security experts suggest only 4% of publicly accessible SMB endpoints are vulnerable.

Server-side workarounds have been released for organizations running affected software but unable to rapidly roll out patches. This includes disabling compression for SMBv3 as well as blocking TCP port 445 at the perimeter firewall.

Accidental disclosure

Satnam Narang, principal security engineer at security tools vendor Tenable, commented: “The vulnerability was initially disclosed accidentally as part of the March Patch Tuesday release in another security vendor’s blog.

“Soon after the accidental disclosure, references to it were removed from the blog post.”

At the time of writing, no proof of concept exploit code for CVE-2020-0796 has been publicly released.

Narang added that how readily exploitable this vulnerability might prove to be currently remains unknown.

“This latest vulnerability evokes memories of EternalBlue, most notably CVE-2017-0144, a remote code execution vulnerability in SMBv1 that was used as part of the WannaCry ransomware attacks,” Narang explained.

“It’s certainly an apt comparison, so much so that researchers are referring to it as EternalDarkness. However, there is currently little information available about this new flaw and the time and effort needed to produce a workable exploit is unknown.”

RELATED Microsoft Exchange Server admins urged to treat crypto key flaw as ‘critical’