Microsoft disclosed details of a critical wormable flaw in SMBv3. This flaw can be used by attackers to deliver wormable malware to targets which could spread across the network and infect other machines within no time. Server Message Block(SMB) is an important network protocol that is used for sharing access to files, printers, serial ports and other resources on a network. Microsoft has urged users to apply the patches for this vulnerability soon after they are available. This vulnerability is also known by a variety of names including SMBGhost, DeepBlue 3: Redmond Drift, Bluesday, CoronaBlue and NexternalBlue.
This flaw was revealed by Microsoft in an independent advisory without any details of patches. The reason for disclosure of an unpatched highly critical WannaCry-like bug still remains in the dark. But fortunately, Microsoft has now released an out-of-band update for CVE-2020-0796.
CVE-2020-0796: RCE in Windows SMBv3 Client/Server
According to Microsoft, the flaw exists in the request handling mechanism of Microsoft Server Message Block 3.1.1 (SMBv3) protocol. In order to exploit this vulnerability on a server, an unauthenticated attacker can send a maliciously crafted file to a vulnerable SMBv3 server. Whereas if the target is running a client, then the attacker will have to configure a malicious SMBv3 server and convince a user to connect to it. Microsoft also predicts that the exploitation of this vulnerability is very likely. Successful attacks can allow an attacker to execute arbitrary code on the target server/client.
Sophos has detailed three attack scenarios using CVE-2020-0796. The vulnerability specifically includes an integer overflow and underflow in one of the kernel drivers. A malicious packet sent to the target can trigger an underflow to read kernel data, or trigger an overflow to overwrite pointers in the kernel with a specified destination address for writing arbitrary data.
- Any computer that has been connected to a corporate domain has an automatically opened SMB port, and these systems are exposed to remote attackers. Microsoft suggests disabling compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
- Attackers can also host their own malicious SMB servers and trick users into connecting to that server. This can be carried out with spearphishing emails or instant messages containing a link to the malicious server. If a user clicks and connects to this server, the system can be brought immediately under the complete control of the attacker.
Attackers can also conduct machine-in-the-middle attacks once they have gained a foothold inside the network. A legitimate system can be spoofed to host a malicious server that other users in the same network connect to. This gives the attacker a chance to compromise the machines which establish a connection with that system.
- If an attacker has already compromised a machine in a network, he can then modify key components of the kernel by sending malicious packets to escalate his privileges and launch any further attacks with elevated permissions.
- Windows 10 Version 1903 for 32/64-bit Systems
- Windows 10 Version 1909 for 32/64-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
Scanners available on GitHub(1 , 2) can be used to test if a server is vulnerable.
A remote unauthenticated attacker can execute arbitrary code on targets with unpatched SMBv3 server/client. An attacker can also plant a malicious worm on a target machine that could spread and rapidly infect other machines on the network.