The latest editions of Windows 10, namely the v1903 and the v1909, contain an exploitable security vulnerability that can be used to exploit the Server Message Block (SMB) protocol. The SMBv3 Servers and Clients can be successfully compromised and used to run arbitrary code. What’s even more concerning is the fact that the security vulnerability can be exploited remotely using a few simple methods.
Microsoft has acknowledged a new security vulnerability in the Microsoft Server Message Block 3.1.1 (SMB) protocol. The company appears to have previously leaked the details accidentally during this week’s Patch Tuesday updates. The vulnerability can be exploited remotely to execute code on an SMB Server or Client. Essentially, this is a concerning RCE (Remote Code Execution) bug.
Microsoft Confirms Security Vulnerability Inside The SMBv3:
In a security advisory published yesterday, Microsoft explained that the vulnerability affects the versions 1903 and 1909 of Windows 10 and Windows Server. However, the company was quick to point out that the flaw hasn’t been exploited yet. Incidentally, the company reportedly leaked the details about the security vulnerability tagged as CVE-2020-0796. But while doing so, the company didn’t publish any technical details. Microsoft merely offered short summaries describing the bug. Picking up on the same, multiple digital security product companies that are part of the company’s Active Protections Program and get early access to bug information, published the information.
CVE-2020-0796 – a "wormable" SMBv3 vulnerability.
— MalwareHunterTeam (@malwrhunterteam) March 10, 2020
It is important to note that the SMBv3 security bug does not have a patch ready yet. It is apparent that Microsoft may have initially planned to release a patch for this vulnerability but couldn’t, and then failed to update industry partners and vendors. This led to the publication of the security vulnerability which can still be exploited in the wild.
How Can Attackers Exploit The SMBv3 Security Vulnerability?
While details are still emerging, computer systems running Windows 10 version 1903, Windows Server v1903 (Server Core installation), Windows 10 v1909, and Windows Server v1909 (Server Core installation) are affected. It is, however, quite likely that earlier iterations of Windows OS could also be vulnerable.
A critical bug in Microsoft's SMBv3 implementation was published under mysterious circumstances.https://t.co/8kGcNEpw7R
— Zack Whittaker (@zackwhittaker) March 11, 2020
Explaining the basic concept and type of the SMBv3 security vulnerability, Microsoft noted: “To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
While details are a little scarce to come by, experts indicate the SMBv3 bug could allow remote attackers to take full control of the vulnerable systems. Moreover, the security vulnerability might also be wormable. In other words, attackers could automate attacks through compromised SMBv3 servers and attack multiple machines.
How to Protect Windows OS and SMBv3 Servers From New Security Vulnerability?
Microsoft may have acknowledged the existence of a security vulnerability inside SMBv3. However, the company hasn’t offered any patch to protect the same. Users may disable SMBv3 compression to prevent attackers from exploiting the vulnerability against an SMB Server. The simple command to execute inside PowerShell is as follows:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
To undo the temporary protection against SMBv3 security vulnerability, enter the following command:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force
— CISOwithHoodie (@SecGuru_OTX) March 11, 2020
It is important to note that the method is not comprehensive, and will merely delay or dissuade an attacker. Microsoft recommends to block TCP port ‘445’ on firewalls and client computers. “This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks,” advised Microsoft.