Microsoft has issued an emergency security update for Windows 10 users to patch a 'wormable' pre-auth remote code execution vulnerability in the Server Message Block 3.0 (SMBv3) network communication protocol. The patch comes two days after Microsoft acknowledged the existence of the vulnerability, tracked as CVE-2020-0796, which it missed in this month’s Patch Tuesday update.
“A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client,” said the update.
“The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.”
To gain access to an SMB server using this vulnerability, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To use it against an SMB Client, the attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it, explained the announcement.
Microsoft acknowledged the flaw on 10 March after security vendors who were part of the Microsoft Active Protections Program disclosed the details of the security flaw. It is presumed that these partners will be alerted first about vulnerabilities.
What makes the security update important is the fact that the SMB protocol in question here, which is used for sharing files, was also vulnerable to the EternalBlue (CVE-2017-0144) exploit, which was weaponised into the WannaCry ransomware.
CVE-2020-0796 has been assigned a maximum score of 10 on the Common Vulnerability Scoring System (CVSS). The Patch Tuesday update fixed 115 bugs, of which 26 have received a rating of Critical, meaning they're both easy to exploit and will most likely result in a full device compromise if they ever are.
Among the vulnerabilities, Remote Code Execution vulnerability CVE-2020-0684 exists in Windows 7 through 10, and customers who still use Windows 7 will not get a patch for this unless they have paid for extended support, noted Allan Liska, Senior Solutions Architect at Recorded Future.
“While Microsoft rates this vulnerability as less likely to exploit, a similar vulnerability from 2017, CVE-2017-8464, is still being actively exploited in the wild, most notably by the BlackSquid exploit kit,” he explained.
The latest vulnerability affects Windows 10 Version 1903 for 32-bit systems, ARM64-based systems, and x64-based systems; Windows 10 Version 1909 for 32-bit systems, ARM64-based systems, and x64-based systems; as well as Windows Server, version 1903 and 1909 (Server Core installation).