Microsoft has acknowledged the existence of a 'wormable' pre-auth remote code execution vulnerability found in the Server Message Block 3.0 (SMBv3) network communication protocol. This comes a day after reports came out that the software giant has alerted security vendors who are part its Active Protections Program about the vulnerability.
The vulnerability, tracked as CVE-2020-0796, is due to an error when the SMBv3 handles maliciously crafted compressed data packets and it allows remote, unauthenticated attackers to exploit it and execute arbitrary code within the context of the application.
“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client,” said the announcement.
“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it,” it added.
Many security vendors who were part of the Microsoft Active Protections Program, who are presumed to get early information about vulnerabilities, announced the details of the security flaw.
The existence of this vulnerability came to light when a participant security vendor’s blog listed it after March’s Microsoft Patch Tuesday alert, that fixed 115 vulnerabilities. The vendor removed reference to the vulnerability immediately after the blog was published, but not before security researchers took screenshots of the accidental disclosure.
SMB (Server Message Block), the protocol used for sharing files, was also vulnerable to the EternalBlue (CVE-2017-0144) exploit, which was weaponised into the WannaCry ransomware, noted Kieran Roberts, head of penetration testing at Bulletproof.
“From the information we have, it appears that this new vulnerability is also ‘wormable’ - a worm is a piece of malware that is self-replicating, meaning that it can propagate throughout a network without help from a user. This means that this new vulnerability could result in a resurgence of ransomware attacks such as WannaCry and NotPetya, which both used the very similar EternalBlue exploit,” he said.
“Currently, Microsoft do not have a patch for this and they have not commented (so far) on when one might be available. The only reason we know that this bug exists is because Microsoft included some details about this vulnerability in their Patch Tuesday details but then they didn’t actually patch the problem. I expect this means that they intended to include this fix in the most recent patch, but when they didn’t make the deadline, they forgot to remove the information from the Patch Tuesday notes,” he added.
Microsoft has provided workaround instructions to help prevent attackers from exploiting the vulnerability, which include disabling compression for SMBv3 as well as blocking TCP port 445 at the perimeter firewall, but cautions that these fixes only prevent potential exploitation server side, and will not protect vulnerable SMB clients.
In order to attack an SMB Client, the attacker would need to configure a malicious SMB server and convince users to connect to it, Satnam Narang, principal security engineer at Tenable, pointed out.
“Currently little information available about this new flaw and the time and effort needed to produce a workable exploit is unknown. At this point, organisations would be wise to review and implement the workarounds Microsoft has provided and begin prioritising patch management for the flaw once patches are released."