Expert Insight On Microsoft Leaks Info On Wormable Windows SMBv3 CVE-2020-0796 Flaw

It has been reported that Microsoft leaked info on a security update for a ‘wormable’ pre-auth remote code execution vulnerability found in the Server Message Block 3.0 (SMBv3) network communication protocol that reportedly should have been disclosed as part of this month’s Patch Tuesday. The vulnerability is due to an error when the SMBv3 handles maliciously crafted compressed data packets and it allows remote, unauthenticated attackers that exploit it to execute arbitrary code within the context of the application.

Notify of

2 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Satnam Narang
Satnam Narang , Senior Research Engineer
InfoSec Expert
March 11, 2020 12:56 pm

Microsoft released ADV200005, a security advisory for a critical remote code execution vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3). An unauthenticated attacker could exploit the flaw by sending a specially crafted packet to the vulnerable SMBv3 server. At this time, there is no patch available. However, Microsoft provided workaround instructions to help prevent attackers from exploiting the vulnerability which include disabling compression for SMBv3 as well as blocking TCP port 445 at the perimeter firewall. Microsoft cautions that these fixes only prevent potential exploitation server side, and will not protect vulnerable SMB clients. Microsoft notes that in order to exploit an SMB Client, the attacker would need to configure a malicious SMB server and convince users to connect to it.

The vulnerability was initially disclosed accidentally as part of the March Patch Tuesday release in another security vendor’s blog. Soon after the accidental disclosure, references to it were removed from the blog post. The flaw was identified as CVE-2020-0796, though it is unclear whether or not Microsoft will use this identifier once their patch is released.

This latest vulnerability evokes memories of EternalBlue, most notably CVE-2017-0144, a remote code execution vulnerability in SMBv1 that was used as part of the WannaCry ransomware attacks. It’s certainly an apt comparison, so much so that researchers are referring to it as EternalDarkness. However, there is currently little information available about this new flaw and the time and effort needed to produce a workable exploit is unknown.

At this point, organisations would be wise to review and implement the workarounds Microsoft has provided and begin prioritising patch management for the flaw once patches are released.

Last edited 2 years ago by Satnam Narang
Kieran Robert
Kieran Robert , Head of Penetration Testing
InfoSec Expert
March 11, 2020 12:51 pm

SMB (Server Message Block) is the protocol used for sharing files, this is the same protocol that was vulnerable to the EternalBlue (CVE-2017-0144) exploit back which was weaponised into the WannaCry ransomware.

It appears that this new vulnerability has several of the same hallmarks as EternalBlue. From the information we have, it appears that this new vulnerability is also ‘wormable’ – a worm is a piece of malware that is self-replicating, meaning that it can propagate throughout a network without help from a user. This means that this new vulnerability could result in a resurgence of ransomware attacks such as WannaCry and NotPetya, which both used the very similar EternalBlue exploit.

It seems that no Proof of Concept code is currently public, but administrators are advised to disable SMBv3 Compression, which seems to be the vulnerable feature, and to block port 445 where possible.

Currently, Microsoft do not have a patch for this and they have not commented (so far) on when one might be available. The only reason we know that this bug exists is because Microsoft included some details about this vulnerability in their Patch Tuesday details BUT then they didn’t actually patch the problem. I expect this means that they intended to include this fix in the most recent patch, but when they didn’t make the deadline, they forgot to remove the information from the Patch Tuesday notes.

This bug is going by a few different names, two of the ‘best’ are CoronaBlue (based on EternalBlue) and SMBGhost (Since everyone now knows there’s a bug (because Microsoft accidentally told us) but nobody can see it.

Last edited 2 years ago by Kieran Robert
Information Security Buzz
Would love your thoughts, please comment.x