Microsoft leaks details of unpatched critical SMB vulnerability in Windows 10 and Windows Server
Patch Tuesday is supposed to be the day Microsoft issues bug-fixing updates for Windows and other software, but this week things were a little different. In addition to the usual patches, the company also inadvertently revealed the existence of a critical vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol -- one for which there is currently no patch.
It seems that Microsoft had intended to issue a patch to the vulnerability (CVE-2020-0796) yesterday, and therefore referenced it in the introductory text for the Patch Tuesday release, but then changed its mind -- perhaps because the patch was not ready. Two cybersecurity firms also published brief details of the security flaw, and while Microsoft is still yet to issue a patch, the company has provided details of workarounds.
- Windows 10 memory integrity setting causes 'A driver can't load on this device' error
- Windows 10 KB4535996 update is causing sleep problems and degrading performance
- Microsoft starts rolling out new icons to all Windows 10 users
The vulnerability affects ARM64, 32- and 64-bit editions of Windows 10 versions 1903 and 1909, as well as Windows Server versions 1903 and 1909. While full details of the vulnerability have not been revealed, FortiGuard Labs talks about MS.SMB.Server.Compression.Transform.Header.Memory.Corruption which it describes as "an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers".
The cybersecurity firm goes on to explain that: "The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application".
CVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to. Users are encouraged to disable SMBv3 compression and block TCP port 445 on firewalls and client computers. The exploitation of this vulnerability opens systems up to a "wormable" attack, which means it would be easy to move from victim to victim.
Microsoft has since published an advisory notice about the vulnerability. The company suggests a workaround that involves disabling SMBv3 compression. The advisory says:
Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.
To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
There are two pieces of advice to try to mitigate against the security flaw. The first is to disable SMBv3 compression, although Microsoft points out that while this will block unauthenticated attackers, it does not prevent SMB clients from being exploited. To disable compression, use the following PowerShell command:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Microsoft also advises people to block TCP port 445 at the enterprise perimeter firewall.
More information is available here.