Microsoft accidentally leaked information about a security update for a vulnerability, tracked as CVE-2020-0796, which reportedly should have been disclosed as part of Patch Tuesday. This is a ‘wormable’ pre-auth remote code execution vulnerability, caused by an error in the way the SMBv3 handles maliciously crafted compressed data packets. It can allow a remote and unauthenticated attacker to execute arbitrary code.
Devices running Windows 10 version 1903, Windows Server version 1903 (Server Core installation), Windows 10 version 1909, and Windows Server version 1909 (Server Core installation) are currently known to be impacted. More versions, however, could be affected, since SMBv3 was released in Windows 8 and Windows Server 2012.
A number of security vendors, such as Cisco Talos and Fortinet, received early access to the vulnerability information and pushed out advisories. These have since been removed. Cisco Talos still mentions the bug in its Patch Tuesday article but does not go into specific detail. Microsoft has not yet addressed the mistake, releasing instead a security advisory on how to mitigate against attacks, which can be viewed here.
There has been no exploitation of the flaw in the wild so far. Microsoft’s secrecy about the bug, however, has led to users speculating about its potential impact and severity, comparing the bug to the likes of EternalBlue, NotPetya, WannaCry, and MS17-010. (1, 2)
Cisco Talos has informed users that until a patch is released, disabling SMB3 compression and blocking TCP Port 445 on computers and firewalls should block attack attempts. Users can disable compression on SMBv3 servers with this PowerShell command:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
If the effects of this flaw are anything like that of EternalBlue, it could be devastating for many organizations. The EternalBlue exploit was leaked by the @ShadowBrokers group in 2017 before patches for the vulnerability were available. The vulnerability was then used by the WannaCry ransomware in a worldwide cyberattack. The UK NHS suffered significantly in the aftermath of this attack. It is estimated that around £92 million of damage was caused through disruption to services and the need for IT upgrades.
EternalBlue was later used again by the NotPetya malware, which infected the websites of banks, ministries, newspapers and electricity firms in Ukraine, France, Germany, Italy, Poland, Russia, the UK, US, and Australia. The NotPetya attacks mainly targeted Ukraine, with the malware posing as ransomware to disrupt systems and cause maximum damage. NotPetya is thought to be one of the most devastating cyberattacks in history.
