Microsoft released an out-of-band security update addressing the remote code execution vulnerability affecting the Microsoft Server Message Block 3.1.1 (SMBv3) protocol. The critical vulnerability, which exists in the way SMBv3 handles certain requests, was disclosed earlier in the week, along with recommendations to disable SMBv3 compression in SMB Server and blocking SMB traffic in the firewall.
The vulnerability has been assigned a maximum score of 10 on the Common Vulnerability Scoring System (CVSS), underscoring the severity of the flaw. Microsoft said the vulnerability has not yet been exploited in the wild, but warned that exploitation was likely. Administrators should apply the patch as soon as possible, or implement the workarounds for systems (outlined below) that cannot be updated right away.
As noted earlier in the week, this vulnerability can be exploited by a worm, which means the malware could move from system to system without user action. The WannaCry and NotPetya ransomware were able to infect so many systems during their respective outbreaks because of the number of systems that had been left unpatched, even though Microsoft had released the fixes months earlier.
Delays in applying the update for CVE-2020-0796 can result in a similar worm outbreak.
This story has been updated. The original story was published March 10, 2020:
Microsoft has issued a security advisory warning of a vulnerability in the Microsoft Server Message Block (SMB) protocol. Until a fix is available, administrators are advised to disable SMBv3 compression on their servers.
The security flaw, identified as CVE-2020-0796, was not included in March’s Patch Tuesday releases. Details of the bug were published accidentally, and Microsoft followed up with the security advisory and technical guidance. There is currently no published timetable for when the update for this issue will be available.
A remote code execution vulnerability exists in the way the SMB 3.1.1 (SMBv3) protocol handles certain requests, Microsoft said in its advisory. SMB is a network file-sharing protocol which allows client machines to access files on servers. With this vulnerability, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server, Microsoft said. Or an attacker could configure a malicious SMBv3 Server and convince a user to connect to the server with an SMBv3 Client. A successful attack would allow an unauthenticated attacker to execute code on the targeted server or client.
The issue impacts only SMBv3, which is the latest version of the protocol and is included only with recent versions of Windows. It appears only Windows 10 v1903, Windows 10 v1909, Windows Server v1903, and Windows Server v1909 are affected.
There was no evidence the vulnerability had been exploited in the wild, Microsoft said in the advisory.
Out-of-Sync Disclosure
Even though the Patch Tuesday release did not mention this vulnerability, details of the bug were published accidentally. It's not clear exactly what happened, but Microsoft does share information about security updates with trusted industry partners such as antivirus companies and hardware vendors through its Microsoft Active Protections Program. It's possible the partners didn't realize the vulnerability was not part of the final release, and shared what they knew when the Patch Tuesday updates were released.
While Cisco Talos and Fortinet have updated their advisories to remove references to the vulnerability, enough people saw the descriptions. Fortinet described the issue as a “Buffer Overflow Vulnerability in Microsoft SMB Servers” and said a remote, unauthenticated attacker could exploit the flaw to execute arbitrary code within the context of the application.
Cisco Talos said in its now-removed description that a "wormable" attack would be able to exploit the vulnerability to "move from victim to victim."
The last time there was a wormable flaw in SMB, there was the EternalBlue exploit. WannaCry and NotPetya ransomware used EternalBlue to infect systems around the world in 2017. Since there is no exploit code for this SMBv3 flaw released at this time, the risk of exploitation remains low. But when an update becomes available, administrators should make sure to apply that patch or take appropriate measures to protect their systems.
Mitigations
"Because SMB is a remote file system, it requires protection from attacks where a Windows computer might be tricked into contacting a malicious server running inside a trusted network or to a remote server outside the network perimeter," Microsoft said in its knowledgebase article listing various firewall best practices and configurations for administrators. These workarounds can help protect systems until an update is available, but there are situations where these workarounds will not work.
Administrators can use PowerShell to disable SMBv3 compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server. However, disabling SMBv3 compression on the server would not block attacks against SMBv3 Client.
Administrators should also block TCP port 445 at the enterprise perimeter firewall to prevent attackers outside the network from exploiting the vulnerability. However, this would not help if the attackers are already in the network. Organizations can allow port 445 access to specific Azure Datacenter IP ranges in cases where on-premises clients use the SMB port to connect to Azure file storage.
“Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability,” Microsoft said.
Administrators can block all inbound SMB traffic using the Windows Defender Firewall on Windows clients and servers that do not host SMB shares to prevent remote connections from malicious or compromised devices. The knowledgebase article provided sample rules.
And finally, Microsoft also published guidelines to prevent SMB traffic leaving the corporate environment. Administrators should “block unsolicited communication (from the Internet) and outgoing traffic (to the Internet)” to ports 137, 138, 139, and 445, Microsoft said. Those ports are associated with the SMB protocol, but blocking them could also affect other applications and services, such as applications that use SMB (CIFS), group policy, print spooler, and performance logs and alerts.
SMB traffic should be restricted to private networks or virtual private networks (VPNs), Microsoft said.
“To help prevent attacks that may use other ports, we recommend that you block all unsolicited communication from the Internet,” Microsoft said, suggesting setting up a blanket deny (deny all) rule on the firewall, and then explicitly allowing specific services such as DNS, HTTP, HTTPS, and SMTP.