Microsoft leaks information about ‘wormable’ flaw before releasing patch

Microsoft accidentally leaked information about a security update for a vulnerability, tracked as CVE-2020-0796, which reportedly should have been disclosed as part of Patch Tuesday. This is a ‘wormable’ pre-auth remote code execution vulnerability, caused by an error in the way the SMBv3 handles maliciously crafted compressed data packets. It can allow a remote and unauthenticated attacker to execute arbitrary code.

Devices running Windows 10 version 1903, Windows Server version 1903 (Server Core installation), Windows 10 version 1909, and Windows Server version 1909 (Server Core installation) are currently known to be impacted. More versions, however, could be affected, since SMBv3 was released in Windows 8 and Windows Server 2012.

A number of security vendors, such as Cisco Talos and Fortinet, received early access to the vulnerability information and pushed out advisories. These have since been removed. Cisco Talos still mentions the bug in its Patch Tuesday article but does not go into specific detail. Microsoft has not yet addressed the mistake, releasing instead a security advisory on how to mitigate against attacks, which can be viewed here.

There has been no exploitation of the flaw in the wild so far. Microsoft’s secrecy about the bug, however, has led to users speculating about its potential impact and severity, comparing the bug to the likes of EternalBlue, NotPetya, WannaCry, and MS17-010. (1, 2)

Cisco Talos has informed users that until a patch is released, disabling SMB3 compression and blocking TCP Port 445 on computers and firewalls should block attack attempts. Users can disable compression on SMBv3 servers with this PowerShell command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

If the effects of this flaw are anything like that of EternalBlue, it could be devastating for many organizations. The EternalBlue exploit was leaked by the @ShadowBrokers group in 2017 before patches for the vulnerability were available. The vulnerability was then used by the WannaCry ransomware in a worldwide cyberattack. The UK NHS suffered significantly in the aftermath of this attack. It is estimated that around £92 million of damage was caused through disruption to services and the need for IT upgrades.

EternalBlue was later used again by the NotPetya malware, which infected the websites of banks, ministries, newspapers and electricity firms in Ukraine, France, Germany, Italy, Poland, Russia, the UK, US, and Australia. The NotPetya attacks mainly targeted Ukraine, with the malware posing as ransomware to disrupt systems and cause maximum damage. NotPetya is thought to be one of the most devastating cyberattacks in history.

Knowledge Base

Incidentally In the News: FireEye and SolarWinds

The last week has been one of speculation, revelation, and a lot of reporting on the cyber breach discovered at FireEye and subsequently SolarWinds.  If you aren’t in cybersecurity, some

Read More +

Is There a Shortage of Cybersecurity Talent, or are Companies Setting Unrealistic Expectations, Limiting Whom They View as Qualified?

The Information System Security Certification Consortium (ISC2) recently released a report which said that there is a void of cybersecurity talent worldwide, with approximately 3.1 million professionals needed within the

Read More +
icon-dark icon-light icon logo-light