Microsoft’s June patch release included fixes for nearly 130 vulnerabilities across its product line, one of which stands out as an attractive target for attackers.
The vulnerability is a critical remote code execution bug in the Server Message Block (SMB) v1 protocol that is present in most of the current server and desktop versions of Windows. SMB is the protocol that Windows uses to send files and share resources across networks and version 1 is an older iteration, although it’s still included in newer Windows releases. The SMB protocol has seen more than its share of vulnerabilities over the years, and attackers have taken advantage of SMB in a number of high-profile intrusions, including the WannaCry ransomware incident.
On Tuesday, Microsoft released a patch for a new vulnerability that can be exploited remotely to take control of servers running SMBv1.
“A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server,” the Microsoft advisory says.
“To exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.”
The vulnerability affects many current versions of Windows, including Windows Server 2008, Server 2012, Server 2016, Server 2019, Windows 7, 8.1, and 10.
In addition to the fix for SMBv1, Microsoft also released patches for two separate vulnerabilities in SMBv3 that are less serious, but can also cause problems for enterprises. One of the bugs is a denial-of-service problem, while the other is an information disclosure issue.
“A denial of service vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An authenticated attacker who successfully exploited this vulnerability against an SMB Server could cause the affected system to crash. An unauthenticated attacker could also exploit this vulnerability against an SMB client and cause the affected system to crash,” the advisory says.
“To exploit the vulnerability against a server, an authenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.”
The information disclosure vulnerability is similar, but would only allow an attacker to gather some information about the target system.
“There is commonality between all these vulnerabilities however, and it is that mitigation can be accomplished via disabling SMBv3 compression, which is stated as having no negative performance impact (yet). There are patches, and patches will always be a solid strategy, but it's nice to know what the alternatives could be,” Richard Tsang, manager of software engineering for security content at Rapid7, said in an analysis of the SMB flaws.