Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:30 PM
Connect Directly

Microsoft Discloses New Remote Execution Flaw in SMBv3

A patch for the flaw is not yet available, but there are no known exploits -- so far.

Among the more critical vulnerabilities that Microsoft disclosed yesterday was one that ironically was not included in its scheduled Patch Tuesday update and for which a patch is still not available.

The vulnerability exists in Microsoft's Server Message Block (SMB) protocol (SMBv3) and has prompted some concern about threat actors potentially using it to launch "wormable" exploits of the WannaCry variety.

The flaw is remotely executable. It allows attackers to gain complete control of vulnerable systems and execute arbitrary code on them within the context of the application, according to Fortinet, one of those that warned of the issue Tuesday.

A Microsoft advisory described the vulnerability as being of critical severity and impacting multiple versions of Windows 10 and Windows Server. "To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it," Microsoft said.

Since no patch is currently available for the flaw, Microsoft is recommending organizations disable SMBv3 compression so unauthenticated attackers are prevented from exploiting the vulnerability. However, that particular workaround does not protect SMB clients against exploitation. For that Microsoft is recommending organizations block TCP port 445 at the enterprise firewall.

"Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability," the company said, though they would still remain vulnerable to attacks from inside the perimeter.

Microsoft is urging all organizations to install updates for the vulnerability as soon as possible after they become available, even those organizations that have implemented the recommended workarounds.

No exploit for the vulnerability is known to be current available. Even so, organizations with exposed SMB services — typically port 445 — are at immediate risk, says Jonathan Knudsen, senior security strategist at Synopsys.

The SMB protocol allows Windows systems to share files printers, for example. Organizations often leave the service enabled on Internet-connected systems, giving attackers a potential entryway to their networks. In recent years, attackers have used exploits like the NSA-developed EternalBlue to spread malware via one vulnerable system to the next in a very effective fashion.

"To mitigate this risk, they should either disable the service altogether or follow Microsoft's advice to disable compression until a fix is available," Knudsen says. "Client computers will be vulnerable until a fix is available, so concerned organizations should curtail or discontinue their use of SMB until that point."  

Unexpected Disclosure
Microsoft declined to comment to Dark Reading on why the vulnerability was not disclosed with all the other bugs in the Patch Tuesday update or to provide any other details besides what's contained in the security advisory.

Some, though, suggest Microsoft might have been forced to issue the advisory after a couple of security vendors — Cisco Talos and Fortinet — inadvertently disclosed details of the flaw this week. According to Duo Security, which is also part of Cisco, Microsoft shares information about its security updates with antivirus companies, hardware vendors, and other trusted third parties.

It's possible that Cisco Talos and Fortinet had information about the SMBv3 issue and released it thinking it would be part of the Patch Tuesday release, the vendor said in a blog. "While Cisco Talos and Fortinet have updated their advisories to remove references to the vulnerability, enough people saw the descriptions," Duo said. According to Duo, the two vendors identified the vulnerability as CVE-2020-0796 though Microsoft itself did not refer to a CVE identifier in its security advisory.

A Fortinet brief described the vulnerability as a buffer overflow issue in SMB server. "The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet," the security vendor said in urging organizations to apply Microsoft's update as soon as it becomes available.

"Ideally, a coordinated disclosure timeline would have researchers disclosing the vulnerability to the vendor, the vendor creating and publishing a fix, and then a coordinated public disclosure of the vulnerability," Knudsen says. "For whatever reason, that process appears to have gone awry in this case."

Thomas Hatch, CTO and co-founder at SaltStack, says news of the latest flaw highlights the need for organizations to properly secure SMB services. "SMB, like many such services, should never be exposed to the outside Internet. This is typically how these types of vulnerabilities get exploited," he says.

Also, given the prevalence of SMB, if an exploit is made public, it could prove to be a large issue for companies to deal with, cautions Charles Ragland, security engineer at Digital Shadows. In addition to Microsoft's recommended actions, organizations should follow security best practices.

"Disable unnecessary services, block ports at the firewall, and ensure that host based measures are in place to prevent users from accessing/modifying security controls," Ragland says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.