Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:30 PM
Connect Directly

Microsoft Discloses New Remote Execution Flaw in SMBv3

A patch for the flaw is not yet available, but there are no known exploits -- so far.

Among the more critical vulnerabilities that Microsoft disclosed yesterday was one that ironically was not included in its scheduled Patch Tuesday update and for which a patch is still not available.

The vulnerability exists in Microsoft's Server Message Block (SMB) protocol (SMBv3) and has prompted some concern about threat actors potentially using it to launch "wormable" exploits of the WannaCry variety.

The flaw is remotely executable. It allows attackers to gain complete control of vulnerable systems and execute arbitrary code on them within the context of the application, according to Fortinet, one of those that warned of the issue Tuesday.

A Microsoft advisory described the vulnerability as being of critical severity and impacting multiple versions of Windows 10 and Windows Server. "To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it," Microsoft said.

Since no patch is currently available for the flaw, Microsoft is recommending organizations disable SMBv3 compression so unauthenticated attackers are prevented from exploiting the vulnerability. However, that particular workaround does not protect SMB clients against exploitation. For that Microsoft is recommending organizations block TCP port 445 at the enterprise firewall.

"Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability," the company said, though they would still remain vulnerable to attacks from inside the perimeter.

Microsoft is urging all organizations to install updates for the vulnerability as soon as possible after they become available, even those organizations that have implemented the recommended workarounds.

No exploit for the vulnerability is known to be current available. Even so, organizations with exposed SMB services — typically port 445 — are at immediate risk, says Jonathan Knudsen, senior security strategist at Synopsys.

The SMB protocol allows Windows systems to share files printers, for example. Organizations often leave the service enabled on Internet-connected systems, giving attackers a potential entryway to their networks. In recent years, attackers have used exploits like the NSA-developed EternalBlue to spread malware via one vulnerable system to the next in a very effective fashion.

"To mitigate this risk, they should either disable the service altogether or follow Microsoft's advice to disable compression until a fix is available," Knudsen says. "Client computers will be vulnerable until a fix is available, so concerned organizations should curtail or discontinue their use of SMB until that point."  

Unexpected Disclosure
Microsoft declined to comment to Dark Reading on why the vulnerability was not disclosed with all the other bugs in the Patch Tuesday update or to provide any other details besides what's contained in the security advisory.

Some, though, suggest Microsoft might have been forced to issue the advisory after a couple of security vendors — Cisco Talos and Fortinet — inadvertently disclosed details of the flaw this week. According to Duo Security, which is also part of Cisco, Microsoft shares information about its security updates with antivirus companies, hardware vendors, and other trusted third parties.

It's possible that Cisco Talos and Fortinet had information about the SMBv3 issue and released it thinking it would be part of the Patch Tuesday release, the vendor said in a blog. "While Cisco Talos and Fortinet have updated their advisories to remove references to the vulnerability, enough people saw the descriptions," Duo said. According to Duo, the two vendors identified the vulnerability as CVE-2020-0796 though Microsoft itself did not refer to a CVE identifier in its security advisory.

A Fortinet brief described the vulnerability as a buffer overflow issue in SMB server. "The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet," the security vendor said in urging organizations to apply Microsoft's update as soon as it becomes available.

"Ideally, a coordinated disclosure timeline would have researchers disclosing the vulnerability to the vendor, the vendor creating and publishing a fix, and then a coordinated public disclosure of the vulnerability," Knudsen says. "For whatever reason, that process appears to have gone awry in this case."

Thomas Hatch, CTO and co-founder at SaltStack, says news of the latest flaw highlights the need for organizations to properly secure SMB services. "SMB, like many such services, should never be exposed to the outside Internet. This is typically how these types of vulnerabilities get exploited," he says.

Also, given the prevalence of SMB, if an exploit is made public, it could prove to be a large issue for companies to deal with, cautions Charles Ragland, security engineer at Digital Shadows. In addition to Microsoft's recommended actions, organizations should follow security best practices.

"Disable unnecessary services, block ports at the firewall, and ensure that host based measures are in place to prevent users from accessing/modifying security controls," Ragland says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.