Windows has a new wormable vulnerability, and there’s no patch in sight - Critical bug in Microsoft's SMBv3 implementation published under mysterious circumstances.

FlappyBat

soap, ballot, jury, ammo
kiwifarms.net
Windows has a new wormable vulnerability, and there’s no patch in sight

Critical bug in Microsoft's SMBv3 implementation published under mysterious circumstances.



Excerpt from the article said:
Word leaked out on Tuesday of a new vulnerability in recent versions of Windows that has the potential to unleash the kind of self-replicating attacks that allowed the WannaCry and NotPetya worms to cripple business networks around the world.

The vulnerability exists in version 3.1.1 of the Server Message Block, the service that’s used to share files, printers, and other resources on local networks and over the Internet. Attackers who successfully exploit the flaw can execute code of their choice on both servers and end-user computers that use the vulnerable protocol, Microsoft said in this bare-bones advisory.

The flaw, which is tracked as CVE-2020-0796, affects Windows 10, versions 1903 and 1909 and Windows Server versions 1903 and 1909, which are relatively new releases that Microsoft has invested huge amounts of resources hardening against precisely these types of attacks. Patches aren’t available, and Tuesday’s advisory gave no timeline for one being released. Asked if there was a timeline for releasing a fix, a Microsoft representative said, “Beyond the advisory you linked, nothing else to share from Microsoft at this time.”
ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression



Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

We will update this advisory when updates are available. If you wish to be notified when this advisory is updated, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.


----------

I'm assuming the rule on not copying articles does not extend to stuff like the Microsoft security advisory.
 
Last edited:

The Fool

True & Honest Fan
kiwifarms.net
Isn't SMB disabled by default and MS even says you just shouldn't turn it on? I can't recall. Or maybe that was 1.0? Either way I don't see any SMB features enabled on my system and I didn't disable any.
 

FlappyBat

soap, ballot, jury, ammo
kiwifarms.net
Isn't SMB disabled by default and MS even says you just shouldn't turn it on? I can't recall. Or maybe that was 1.0? Either way I don't see any SMB features enabled on my system and I didn't disable any.
One of the issues is certain programs might require it being open. I wasnt able to confirm, but a guy on HackerNews is saying Azure Files (a Microsoft product) opens you up to the vulnerability.
 

Coffee Shits

Good morning!
kiwifarms.net
Isn't SMB disabled by default and MS even says you just shouldn't turn it on? I can't recall. Or maybe that was 1.0? Either way I don't see any SMB features enabled on my system and I didn't disable any.
I believe they don't recommend opening it to the wider internet because it's a chatty protocol, not so much that's it's a vulnerable one.
 

3119967d0c

a... brain - @StarkRavingMad
True & Honest Fan
kiwifarms.net
I believe they don't recommend opening it to the wider internet because it's a chatty protocol, not so much that's it's a vulnerable one.
More because there is no reason to have an SMB share open to the entire internet and it is far worse to deal with over higher than 200ms links than the likes of FTP or WebDAV would be.
One of the issues is certain programs might require it being open. I wasnt able to confirm, but a guy on HackerNews is saying Azure Files (a Microsoft product) opens you up to the vulnerability.
Oh wow. If so, that's pretty exceptional.

In any case.. this is an issue that could allow the further spread of an infection within corporate and government networks. But not a good way to actually get in in the first place.

I'm sure there are probably heaps of Windows 2000 and XP industrial computers attached directly to the internet in the US with port 445 open, running nuclear power plants and stuff like that, but they don't support SMBv3 and no home or business router is going to be set up to forward 445 to internal computers on a network.

This may not even be an issue for infection within your local network if you're on a home network where you don't have network shares explicitly set up, although it should be a wake up call to any sysadmin dealing with domain networks who hasn't thought about how internal traffic should be locked down.
 

Tookie

Mountain of Molten Lust
True & Honest Fan
kiwifarms.net
Isn't SMB disabled by default and MS even says you just shouldn't turn it on? I can't recall. Or maybe that was 1.0? Either way I don't see any SMB features enabled on my system and I didn't disable any.
That's SMBv1. SMBv2 is enabled by default and you would have to dig through PowerShell or the Registry to disable it. This vulnerability effects v3 and I'm not even sure if that can be disabled or not.
 

CrunkLord420

not a financial adviser
Supervisor
True & Honest Fan
kiwifarms.net
It's unclear if this affects Windows 7 as well, but if it does I'm really curious to see if Microsoft patches it. If they don't, this is really the end of Win7.
 
  • Like
Reactions: FlappyBat

FlappyBat

soap, ballot, jury, ammo
kiwifarms.net

3119967d0c

a... brain - @StarkRavingMad
True & Honest Fan
kiwifarms.net
Tags
None