Microsoft Inadvertently Leaks Details of a New SMB Wormable Bug – Time to Block Ports and Disable SMBv3 Compression
Microsoft accidentally leaked details of a new wormable vulnerability in the Microsoft Server Message Block 3.1.1 (SMB) protocol during today's Patch Tuesday updates. While the company didn't publish any technical details, it apparently offered short summaries describing the bug that have since been published on various security vendors' websites that are part of the company's Active Protections Program and get early access to bug information.
Tracked as CVE-2020-0796, the bug patch hasn't been included with this month's Patch Tuesday updates, which makes things worse. It is likely that the company had initially planned to release a patch for this vulnerability but couldn't and then failed to update industry partners and vendors.
Who is affected by this wormable SMBv3 vulnerability
While we don't know the complete details, so far it seems those running Windows 10 version 1903, Windows Server v1903 (Server Core installation), Windows 10 v1909, and Windows Server v1909 (Server Core installation) are affected. It is likely that earlier versions are also impacted.
"An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to," Cisco Talos initially wrote and later redacted the details from their report.
"The exploitation of this vulnerability opens systems up to a 'wormable' attack, which means it would be easy to move from victim to victim."
It appears the bug could allow remote attackers to take full control of the vulnerable systems. Remember, SMB is what enabled bugs like WannaCry and NotPetya ransomware, so obviously admins are scrambling to find workarounds to avoid another security disaster. Before going into the panic mode, note that the technical details weren't leaked, which significantly reduces the risk of attacks.
Possible workarounds and Microsoft's response
Microsoft has now released a statement saying that it is "aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests."
An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.
To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
The company didn't say when to expect the patch, but it did share a workaround. You will have to disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server. Use the following PowerShell command:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
If you want to disable the workaround, use this command:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force
Microsoft added that the command won't prevent exploitation of SMB clients. The Windows maker has also recommended to block TCP port 445 on firewalls and client computers. "This can help protect networks from attacks that originate outside the enterprise perimeter," Microsoft wrote. "Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks."
It should be noted that systems could still be vulnerable to attacks from within their enterprise perimeter. If you are a sysadmin, you might want to keep a look at this portal for more updated information.