Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/11/2020
05:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Discloses New Remote Execution Flaw in SMBv3

A patch for the flaw is not yet available, but there are no known exploits -- so far.

Among the more critical vulnerabilities that Microsoft disclosed yesterday was one that ironically was not included in its scheduled Patch Tuesday update and for which a patch is still not available.

The vulnerability exists in Microsoft's Server Message Block (SMB) protocol (SMBv3) and has prompted some concern about threat actors potentially using it to launch "wormable" exploits of the WannaCry variety.

The flaw is remotely executable. It allows attackers to gain complete control of vulnerable systems and execute arbitrary code on them within the context of the application, according to Fortinet, one of those that warned of the issue Tuesday.

A Microsoft advisory described the vulnerability as being of critical severity and impacting multiple versions of Windows 10 and Windows Server. "To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it," Microsoft said.

Since no patch is currently available for the flaw, Microsoft is recommending organizations disable SMBv3 compression so unauthenticated attackers are prevented from exploiting the vulnerability. However, that particular workaround does not protect SMB clients against exploitation. For that Microsoft is recommending organizations block TCP port 445 at the enterprise firewall.

"Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability," the company said, though they would still remain vulnerable to attacks from inside the perimeter.

Microsoft is urging all organizations to install updates for the vulnerability as soon as possible after they become available, even those organizations that have implemented the recommended workarounds.

No exploit for the vulnerability is known to be current available. Even so, organizations with exposed SMB services — typically port 445 — are at immediate risk, says Jonathan Knudsen, senior security strategist at Synopsys.

The SMB protocol allows Windows systems to share files printers, for example. Organizations often leave the service enabled on Internet-connected systems, giving attackers a potential entryway to their networks. In recent years, attackers have used exploits like the NSA-developed EternalBlue to spread malware via one vulnerable system to the next in a very effective fashion.

"To mitigate this risk, they should either disable the service altogether or follow Microsoft's advice to disable compression until a fix is available," Knudsen says. "Client computers will be vulnerable until a fix is available, so concerned organizations should curtail or discontinue their use of SMB until that point."  

Unexpected Disclosure
Microsoft declined to comment to Dark Reading on why the vulnerability was not disclosed with all the other bugs in the Patch Tuesday update or to provide any other details besides what's contained in the security advisory.

Some, though, suggest Microsoft might have been forced to issue the advisory after a couple of security vendors — Cisco Talos and Fortinet — inadvertently disclosed details of the flaw this week. According to Duo Security, which is also part of Cisco, Microsoft shares information about its security updates with antivirus companies, hardware vendors, and other trusted third parties.

It's possible that Cisco Talos and Fortinet had information about the SMBv3 issue and released it thinking it would be part of the Patch Tuesday release, the vendor said in a blog. "While Cisco Talos and Fortinet have updated their advisories to remove references to the vulnerability, enough people saw the descriptions," Duo said. According to Duo, the two vendors identified the vulnerability as CVE-2020-0796 though Microsoft itself did not refer to a CVE identifier in its security advisory.

A Fortinet brief described the vulnerability as a buffer overflow issue in SMB server. "The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet," the security vendor said in urging organizations to apply Microsoft's update as soon as it becomes available.

"Ideally, a coordinated disclosure timeline would have researchers disclosing the vulnerability to the vendor, the vendor creating and publishing a fix, and then a coordinated public disclosure of the vulnerability," Knudsen says. "For whatever reason, that process appears to have gone awry in this case."

Thomas Hatch, CTO and co-founder at SaltStack, says news of the latest flaw highlights the need for organizations to properly secure SMB services. "SMB, like many such services, should never be exposed to the outside Internet. This is typically how these types of vulnerabilities get exploited," he says.

Also, given the prevalence of SMB, if an exploit is made public, it could prove to be a large issue for companies to deal with, cautions Charles Ragland, security engineer at Digital Shadows. In addition to Microsoft's recommended actions, organizations should follow security best practices.

"Disable unnecessary services, block ports at the firewall, and ensure that host based measures are in place to prevent users from accessing/modifying security controls," Ragland says.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Keys to Hiring Cybersecurity Pros When Certification Can't Help."

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10936
PUBLISHED: 2020-05-27
Sympa before 6.2.56 allows privilege escalation.
CVE-2020-6774
PUBLISHED: 2020-05-27
Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system.
CVE-2020-13633
PUBLISHED: 2020-05-27
Fork before 5.8.3 allows XSS via navigation_title or title.
CVE-2020-10945
PUBLISHED: 2020-05-27
Centreon before 19.10.7 exposes Session IDs in server responses.
CVE-2020-10946
PUBLISHED: 2020-05-27
Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the page parameter to service-monitoring/src/index.php. This vulnerability is fixed in versions 1.6.4, 18.10.3, 19.04.3, and 19.0.1 of the Centreon host-monitoring widget; 1.6.4, 18.10.5, 19.0...