Microsoft leaks information about ‘wormable’ flaw before releasing patch

Microsoft accidentally leaked information about a security update for a vulnerability, tracked as CVE-2020-0796, which reportedly should have been disclosed as part of Patch Tuesday. This is a ‘wormable’ pre-auth remote code execution vulnerability, caused by an error in the way the SMBv3 handles maliciously crafted compressed data packets. It can allow a remote and unauthenticated attacker to execute arbitrary code.

Devices running Windows 10 version 1903, Windows Server version 1903 (Server Core installation), Windows 10 version 1909, and Windows Server version 1909 (Server Core installation) are currently known to be impacted. More versions, however, could be affected, since SMBv3 was released in Windows 8 and Windows Server 2012.

A number of security vendors, such as Cisco Talos and Fortinet, received early access to the vulnerability information and pushed out advisories. These have since been removed. Cisco Talos still mentions the bug in its Patch Tuesday article but does not go into specific detail. Microsoft has not yet addressed the mistake, releasing instead a security advisory on how to mitigate against attacks, which can be viewed here.

There has been no exploitation of the flaw in the wild so far. Microsoft’s secrecy about the bug, however, has led to users speculating about its potential impact and severity, comparing the bug to the likes of EternalBlue, NotPetya, WannaCry, and MS17-010. (1, 2)

Cisco Talos has informed users that until a patch is released, disabling SMB3 compression and blocking TCP Port 445 on computers and firewalls should block attack attempts. Users can disable compression on SMBv3 servers with this PowerShell command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

If the effects of this flaw are anything like that of EternalBlue, it could be devastating for many organizations. The EternalBlue exploit was leaked by the @ShadowBrokers group in 2017 before patches for the vulnerability were available. The vulnerability was then used by the WannaCry ransomware in a worldwide cyberattack. The UK NHS suffered significantly in the aftermath of this attack. It is estimated that around £92 million of damage was caused through disruption to services and the need for IT upgrades.

EternalBlue was later used again by the NotPetya malware, which infected the websites of banks, ministries, newspapers and electricity firms in Ukraine, France, Germany, Italy, Poland, Russia, the UK, US, and Australia. The NotPetya attacks mainly targeted Ukraine, with the malware posing as ransomware to disrupt systems and cause maximum damage. NotPetya is thought to be one of the most devastating cyberattacks in history.

Knowledge Base

Incidentally Informed – How to Achieve Cyber Resilience in Today’s Threat Landscape

The number of vendors providing some sort of technology to protect against or detect threats is growing daily. However, breaches still occur at an even more frequent rate than ever.

Read More +

What is Pass-The-Cookie Website Exploitation?

Written By Hannah Golding What is a Website Vulnerability? An attacker will first discover a vulnerability, then attempt to exploit it to gain a foothold within the host. Most commonly,

Read More +

Incidentally Informed – Effective Restoration After a Cyber Attack

During this webinar, we discussed the topic of effective restoration after a cyberattack. We looked at this from the point of view of the Post Breach Remediation team, Legal and

Read More +
icon-dark icon-light icon logo-light