Shortly after releasing its monthly security update, Microsoft separately issued an advisory warning billions of its Windows users of a new critical, unpatched, and wormable vulnerability affecting Microsoft Server Message Block (SMB) protocol.
The issue, tracked as CVE-2020-0796, is pre- remote code execution vulnerability that resides in the Server Message Block 3.0 (SMBv3) network communication protocol. Microsoft did not address the issue as part of the March 2020 Patch Tuesday. The flaw affects Windows 10, versions 1903 and 1909 and Windows Server versions 1903 and 1909. It is due to an error when the SMBv3 handles maliciously crafted compressed data packets and it allows remote, unauthenticated attackers that exploit it to execute arbitrary code within the context of the application.
“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server,” Microsoft disclosed in an advisory. “To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
“The exploitation of this vulnerability opens systems up to a ‘wormable’ attack, which means it would be easy to move from victim to victim,” they also added.
SMB allows multiple clients to access shared folders. It can also provide a rich playground for malware when it comes to lateral movement and client-to-client infection.
In the meantime, Microsoft said vulnerable servers can be protected by disabling compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. Users can use the following PowerShell command to turn off compression without needing to reboot the machine:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
That fix won’t protect vulnerable client computers or servers if they connect to a malicious SMB service; but in that scenario, the attacks aren’t wormable. Microsoft also recommended users block port 445, which is used to send SMB traffic between machines.
Despite the severity of the SMB bug, there’s no evidence that it’s being exploited in the wild.