SMB Wormable Vulnerability

THE THREAT

Update 2020/03/30: Security researcher, Daniel García, has published Proof of Concept (PoC) code for exploiting CVE-2020-0796. This PoC can be used to escalate privileges on a local machine. Security staff at eSentire have tested the PoC to verify its legitimacy.

The recent public release may decrease the effort required for threat actors to incorporate this technique into attacks. Full unauthenticated remote code execution has not been publicly identified at this time.

Update 2020/03/12: Microsoft has now released security patches for all affected products. After performing a business impact review, patches should be applied to avoid future exploitation.

On March 10, 2020, Microsoft announced a Remote Code Execution (RCE) vulnerability affecting the Microsoft Server Message Block 3.1.1 (SMBv3) [1]. The vulnerability allows for an unauthenticated attacker to remotely execute code on vulnerable SMB Clients and Servers. Successful exploitation would allow an attacker full control over affected systems. Additionally, the vulnerability may be wormable – with the ability to propagate malicious content across multiple vulnerable systems [2].

Details on this topic are limited at this time, and additional information is expected from Microsoft in the near future. Attacks exploiting this vulnerability have not been identified in the wild at this time. It is highly recommended that organizations apply the work arounds recommended by Microsoft until the official security patches are released.

What we’re doing about it

• esNETWORK rules to detect potential exploitation of this vulnerability have been deployed 
• eSentire security teams are actively monitoring the situation for additional details

What you should do about it

• After performing a business impact review, apply the Microsoft security patches [3]

• Note that a reboot is required for the security patches to take effect

If patching is not currently possible:

• Disable SMBv3 compression to prevent exploitation of vulnerable SMBv3 servers [1]

• This workaround will only prevent exploitation of SMBv3 severs but not SMBv3 clients

• Block SMB (TCP port 445) traffic at the perimeter firewall [4]

Additional information

This vulnerability is currently being tracked as CVE-2020-0796. The vulnerability is due to the way that SMBv3 protocol handles certain requests.

In order to successfully exploit this vulnerability against an SMBv3 client, an attacker would be required to set up a malicious SMBv3 Server and convince the target user to connect to the server.

To successfully exploit this vulnerability against an SMBv3 server, the unauthenticated attacker would need to send specially crafted packets to a targeted SMBv3 server.

Affected Products:

• Windows 10 Version 1903 for 32-bit Systems
• Windows 10 Version 1903 for ARM64-based Systems
• Windows 10 Version 1903 for x64-based Systems
• Windows 10 Version 1909 for 32-bit Systems
• Windows 10 Version 1909 for ARM64-based Systems
• Windows 10 Version 1909 for x64-based Systems
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)

At this time, no verified Proof-of-Concept exploits have been identified.

While the risk of exploitation is still low, the wormable nature of this vulnerability presents the opportunity for future widespread abuse. Customers are recommended to apply the available workarounds while this risk remains low.

References:

[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

[2] https://cc.bingj.com/cache.aspx?q=https%3a%2f%2fblog.talosintelligence.com%2f2020%2f03%2fmicrosoft-patch-tuesday-march-2020.html&w=NrvF66m3pULMCOMEBw-cKyRUwi9s1qXv&d=928684983196

[3] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

[4] https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections