Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw

[itman 1,659]

 

Quote

Microsoft leaked info on a security update for a 'wormable' pre-auth remote code execution vulnerability found in the Server Message Block 3.0 (SMBv3) network communication protocol that reportedly should have been disclosed as part of this month's Patch Tuesday.

The vulnerability is due to an error when the SMBv3 handles maliciously crafted compressed data packets and it allows remote, unauthenticated attackers that exploit it to execute arbitrary code within the context of the application.

Desktop and server Windows 10 versions impacted

Devices running Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation) are impacted by this vulnerability according to a Fortinet advisory, although more versions should be affected given that SMBv3 was introduced in Windows 8 and Windows Server 2012.

"An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to," Cisco Talos explained in their Microsoft Patch Tuesday report — this was later removed by the Talos security experts.

"The exploitation of this vulnerability opens systems up to a 'wormable' attack, which means it would be easy to move from victim to victim," they also added.

Fortinet says that upon successful exploitation, CVE-2020-0796 could allow remote attackers to take full control of vulnerable systems.

Due to Microsoft's secrecy, people are coming up with their own theories regarding the malware and its severity, some comparing it to EternalBlue, NotPetya, WannaCry, or MS17-010 (1, 2).

Others have already started coming up with names for the vulnerability such as SMBGhost, DeepBlue 3: Redmond Drift, Bluesday, CoronaBlue, and NexternalBlue.

Available CVE-2020-0796 mitigations

Until Microsoft will release a security update designed to patch the CVE-2020-0796 RCE vulnerability, Cisco Talos shared that disabling SMBv3 compression and blocking the 445 TCP port on client computers and firewalls should block attacks attempting to exploit the flaw.

Although an official way of disabling SMBv3 compression was not shared by Microsoft, Foregenix Solutions Architect Niall Newman was able to find after analyzing the Srv2.sys file that it can be done by:

1. Going to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters
2. Creating a DWORD value called CompressionEnabled
3. Setting its value to 0.

While no proof-of-concept exploits have been released yet for this wormable SMBv3 RCE, we recommend implementing the mitigation measures shared by Cisco Talos until Microsoft will release an out-of-cycle security update to fix it seeing that almost all the info is out anyway.

BleepingComputer has reached out to Microsoft for more details but had not heard back at the time of this publication. 

If you're Microsoft you basically have little choice now but to release the patch for 2020-0796 out-of-cycle as soon as it meets quality standards, right? There's too much info out there to just hope somebody won't find it before April.

Fun times for sysadmins everywhere.

— Brian in Pittsburgh (@arekfurt) March 10, 2020

https://www.bleepingcomputer.com/news/security/microsoft-leaks-info-on-wormable-windows-smbv3-cve-2020-0796-flaw/

Edited March 10, 2020 by itman

[itman 1,659]

Per above bleepingcomputer.com posted link.

Update: Microsoft published a security advisory with details on how to disable SMBv3 compression to protect servers against exploitation attempts.

You can disable compression on SMBv3 servers with this PowerShell command (no reboot required, does not prevent the exploitation of SMB clients😞

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

What steps can I take to protect my network?

1. Block TCP port 445 at the enterprise perimeter firewall

TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

2. Follow Microsoft guidelines to prevent SMB traffic leaving the corporate environment

Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate environment

Edited March 11, 2020 by itman

[itman 1,659]

Quote

How does SMBGhost work?

An attacker could gain the ability to execute code on a target SMB server or client. The Microsoft advisory says, “To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.

To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.” This means if the attacker can reach the SMBv3 server they can execute the code, but SMB client requires them to connect to a malicious SMBv3 Server, so properly training the employees on recognizing common social hacking can help mitigate it a little bit.

https://www.pdq.com/blog/cve-2020-0796/

Edited March 12, 2020 by itman

[Nightowl 202]

I wonder a critical exploit like this is discovered by Microsoft and yet a fix wasn't included in their March update

Wondering what is the reason.

[peteyt 393]

26 minutes ago, Nightowl said:

I wonder a critical exploit like this is discovered by Microsoft and yet a fix wasn't included in their March update

Wondering what is the reason.

Unless they had a fix but it itself was buggy

[itman 1,659]

32 minutes ago, Nightowl said:

I wonder a critical exploit like this is discovered by Microsoft and yet a fix wasn't included in their March update

Wondering what is the reason.

Microsoft was supposed to include a fix in last Tues. Win 10 cumulative update for 1903 and 1909 versions. They pulled it at the last moment; assume they found a bug in it. However, news of the patch had already been "leaked" to reporting services.

Hence, we now have a "perfect hacker storm" in place.

[itman 1,659]

Microsoft Releases KB4551762 Security Update for SMBv3 Vulnerability

Quote

Microsoft released the KB4551762 security update to patch the pre-auth RCE Windows 10 vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3), two days after details regarding the flaw were leaked as part of the March 2020 Patch Tuesday.

The KB4551762 security update tracked as CVE-2020-0796 addresses "a network communication protocol issue that provides shared access to files, printers, and serial ports," according to Microsoft.

KB4551762 can be installed by checking for updates via Windows Update or by manually downloading it for your Windows version from the Microsoft Update Catalog.

"While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to your affected devices with priority," Microsoft says.

https://www.bleepingcomputer.com/news/security/microsoft-releases-kb4551762-security-update-for-smbv3-vulnerability/

Edited March 12, 2020 by itman

[itman 1,659]

SMBGhost Vulnerability Allows Privilege Escalation on Windows Systems

Quote

Researchers have published proof-of-concept (PoC) exploits to demonstrate that the Windows vulnerability tracked as SMBGhost and CVE-2020-0796 can be exploited for local privilege escalation.

Microsoft says the vulnerability, which it patched on March 12 with an out-of-band update, can be exploited for remote code execution on SMB clients and servers. The critical flaw, described as “wormable” and related to the way SMB 3.1.1 handles certain requests, affects Windows 10 and Windows Server versions 1903 and 1909.

https://www.securityweek.com/smbghost-vulnerability-allows-privilege-escalation-windows-systems

Edited April 1, 2020 by itman

[itman 1,659]

Windows 10 SMBGhost RCE exploit demoed by researchers

Quote

A proof-of-concept remote code execution (RCE) exploit for the Windows 10 CVE-2020-0796 'wormable' pre-auth remote code execution vulnerability was developed and demoed today by researchers at Ricerca Security.

The security vulnerability, also known as SMBGhost, was found in the Microsoft Server Message Block 3.1.1 (SMBv3) network communication protocol and it only impacts systems running Windows 10, version 1903 and 1909, as well as Server Core installations of Windows Server, versions 1903 and 1909.

DoS, LPE, and now an RCE PoC exploit

After a number of proofs-of-concept (PoC) exploits surfaced, including a denial-of-service one developed by Kryptos Logic security researcher Marcus Hutchins, Microsoft released security patches for all affected platforms on March 12.

"However, while there have already been many public reports and PoCs of LPE (Local Privilege Escalation), none of them have shown that RCE is actually possible so far," Ricerca Security researchers said today.

https://www.bleepingcomputer.com/news/security/windows-10-smbghost-rce-exploit-demoed-by-researchers/

Edited April 20, 2020 by itman