Microsoft leaked info on a security update for a ‘wormable’ pre-auth remote code execution vulnerability found in the Server Message Block 3.0 (SMBv3) network communication protocol that reportedly should have been disclosed as part of this month’s Patch Tuesday.
The vulnerability is due to an error when the SMBv3 handles maliciously crafted compressed data packets and it allows remote, unauthenticated attackers that exploit it to execute arbitrary code within the context of the application.
Even though the vulnerability advisory was not published by Microsoft (no explanation for this was released by Redmond so far), a number of security vendors part of Microsoft Active Protections Program who get early access to vulnerability information did release details on the security flaw tracked as CVE-2020-0796.
CVE-2020-0796 – a “wormable” SMBv3 vulnerability.
— MalwareHunterTeam (@malwrhunterteam) March 10, 2020
Desktop and server Windows 10 versions impacted
Devices running Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation) are impacted by this vulnerability according to a Fortinet advisory, although more versions should be affected given that SMBv3 was introduced in Windows 8 and Windows Server 2012.
“An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to,” Cisco Talos explained — this is was also retracted after the Talos security experts published its Microsoft Patch Tuesday report.
“The exploitation of this vulnerability opens systems up to a “wormable” attack, which means it would be easy to move from victim to victim,” they also added.
Fortinet also says that upon successful exploitation, CVE-2020-0796 could allow remote attackers to take full control of vulnerable systems.
Others have already started coming up with names for the vulnerability such as SMBGhost, DeepBlue 3: Redmond Drift, Bluesday, CoronaBlue, and NexternalBlue.
Available CVE-2020-0796 mitigations
Until Microsoft will release a security update designed to patch the CVE-2020-0796 RCE vulnerability, Cisco Talos shared that disabling SMBv3 compression and blocking the 445 TCP port on client computers and firewalls should block attacks attempting to exploit the flaw.
Although an official way of disabling SMBv3 compression was not shared by Microsoft, Foregenix Solutions Architect Niall Newman was able to find after analyzing the Srv2.sys file that it can be done by:
1. Going to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters
2. Creating a DWORD value called CompressionEnabled
3. Setting its value to 0.
While no proof-of-concept exploits have been released yet for this wormable SMBv3 RCE, we recommend implementing the mitigation measures shared by Cisco Talos until Microsoft will release an out-of-cycle security update to fix it seeing that almost all the info is out anyway.
BleepingComputer has reached out to Microsoft for more details but had not heard back at the time of this publication.
If you’re Microsoft you basically have little choice now but to release the patch for 2020-0796 out-of-cycle as soon as it meets quality standards, right? There’s too much info out there to just hope somebody won’t find it before April.
Fun times for sysadmins everywhere.
— Brian in Pittsburgh (@arekfurt) March 10, 2020