https://arstechnica.com/information-technology/2020/03/windows-has-a-new-wormable-vulnerability-and-theres-no-patch-in-sight/ Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe [ ] Close Navigate * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints Filter by topic * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Settings Front page layout Grid List Site theme Black on white White on black Sign in Comment activity Sign up or login to join the discussions! [ ] [ ] [Submit] [ ] Stay logged in | Having trouble? Sign up to comment and more Sign up DISCLOSURE FUBAR -- Windows has a new wormable vulnerability, and there's no patch in sight Critical bug in Microsoft's SMBv3 implementation published under mysterious circumstances. Dan Goodin - Mar 11, 2020 12:01 pm UTC Close-up photo of police-style caution tape stretched across an out-of-focus background. Enlarge Michael Theis / Flickr reader comments 58 with 41 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit Word leaked out on Tuesday of a new vulnerability in recent versions of Windows that has the potential to unleash the kind of self-replicating attacks that allowed the WannaCry and NotPetya worms to cripple business networks around the world. The vulnerability exists in version 3.1.1 of the Server Message Block, the service that's used to share files, printers, and other resources on local networks and over the Internet. Attackers who successfully exploit the flaw can execute code of their choice on both servers and end-user computers that use the vulnerable protocol, Microsoft said in this bare-bones advisory. The flaw, which is tracked as CVE-2020-0796, affects Windows 10, versions 1903 and 1909 and Windows Server versions 1903 and 1909, which are relatively new releases that Microsoft has invested huge amounts of resources hardening against precisely these types of attacks. Patches aren't available, and Tuesday's advisory gave no timeline for one being released. Asked if there was a timeline for releasing a fix, a Microsoft representative said, "Beyond the advisory you linked, nothing else to share from Microsoft at this time." In the meantime, Microsoft said vulnerable servers can be protected by disabling compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. Users can use the following PowerShell command to turn off compression without needing to reboot the machine: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force That fix won't protect vulnerable client computers or servers if they connect to a malicious SMB service, but in that scenario, the attacks aren't wormable. Microsoft also recommended users block port 445, which is used to send SMB traffic between machines. Now you see it, now you don't An advisory published--and then removed--by security firm Fortinet described the vulnerability as "MS.SMB.Server.Compression.Transform.Header.Memory.Corruption." The pulled advisory said the flaw is the result of a buffer overflow in vulnerable Microsoft SMB servers. "The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet," Fortinet researchers wrote. "A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application." Cisco's Talos security team also published--and later pulled--its own advisory. It called the vulnerability "wormable," meaning a single exploit could touch off a chain reaction that allows attacks to spread from vulnerable machine to vulnerable machine without requiring any interaction from admins or users. "An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to," the removed Talos post said. "Users are encouraged to disable SMBv3 compression and block TCP port 445 on firewalls and client computers. The exploitation of this vulnerability opens systems up to a 'wormable' attack, which means it would be easy to move from victim to victim." Microsoft's implementation of SMBv3 introduces a variety of measures designed to make the protocol more secure on Windows computers. The update became more widely used after WannaCry and NotPetya used an exploit developed by--and later stolen from--the National Security agency. Known as EternalBlue, the attack exploited SMBv1 to gain remote code execution and move from machine to machine. Microsoft has similarly hardened Windows 10 and Server 2019 to better withstand exploits, especially those that would otherwise be wormable. It's not clear why Microsoft released the sparse details or why both Fortinet and Talos released and then pulled their advisories. The event came on Update Tuesday, which occurs on the second Tuesday of each month, when Microsoft releases a crop of patches to fix various security vulnerabilities. Risk assessment While CVE-2020-0796 is potentially serious, not everyone said it poses the kind of threat mounted by the SMBv1 flaw that was exploited by WannaCry and NotPetya. Those worms were fueled by the public release of EternalBlue, an exploit that was so reliable it made exploitation a copy-and-paste exercise. Another major contribution to the worms' success was the near-ubiquity of the SMBv1 at the time. SMBv3, by contrast, is much less used. SMB is also protected by kernel address space layout randomization, a protection that randomizes the memory locations where attacker code gets loaded in the event a vulnerability is successfully exploited. The protection requires attackers to devise two highly reliable exploits, one that abuses a buffer overflow or other code-execution vulnerability and another that reveals the memory locations of the malicious payload. The protection required Buckeye, an advanced hacker group that exploited the SMBv1 flaw 14 months before the mysterious leak of EternalBlue, to use a separate information disclosure flaw as well. Jake Williams, a former NSA hacker and the founder of security firm Rendition Security, said in a Twitter thread that both those factors would likely buy vulnerable networks time. "The TL;DR here is that this IS serious, but it isn't WannaCry 2.0," he wrote. "Fewer systems are impacted and there's no readily available exploit code. I'm not thrilled about another SMB vuln, but we all knew this would come (and this won't be the last). Hysteria is unwarranted though." 5. Even with trigger code, you still have to remotely bypass KASLR (not an easy task). If you need proof, look at BUCKEYE. They had the EternalBlue trigger, but had to chain it with another information disclosure vulnerability to gain code execution. This isn't easy. 3/ -- Jake Williams (@MalwareJake) March 10, 2020 It's also worth remembering that BlueKeep, the name of another wormable vulnerability Microsoft patched last May, has yet to be exploited widely--if at all--despite dire warnings it posed a serious risk to networks around the world. The cause of the advisories being published and then pulled touched off a fair amount of speculation on Twitter. Microsoft commonly provides details about soon-to-be-released patches with makers of antivirus products and intrusion prevention systems. It's possible Microsoft delayed release of the SMBv3 patch at the last minute, and these partners didn't get word of it. Whatever the cause, the cat is out of the bag now. Windows users who have SMBv3 exposed on the Internet would do well to heed Microsoft's security advice as soon as possible. Promoted Comments * jra_samba_org Smack-Fu Master, in training jump to post Microsoft hasn't contacted us (Samba) so this almost certainly isn't a protocol level bug (they're *very* good about being proactive on these), but an error in their implementation of the SMB3 compression transform. In other words, a typical buffer overrun in a compression library. Gee, wonder where I've seen these before. Currently Samba doesn't implement the SMB3 transform header, an example where being slow to implement a feature is an advantage for once :-). So most Linux-based SMB3 servers and NAS boxes (which use Samba) will not be affected by this (I believe - things may change as more information becomes available). 69 posts | registered 6/14/2013 reader comments 58 with 41 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 You must login or create an account to comment. Channel Ars Technica - Previous story Next story - Related Stories Sponsored Stories Powered by Today on Ars * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints Newsletter Signup Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up - CNMN Collection WIRED Media Group (c) 2020 Conde Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1 /20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices