Advisory Overview
Microsoft has released a patch outside their regular cycle for Microsoft Windows 10 & Windows Server within SMB, a commonly utilized Windows protocol. The vulnerability allows a threat actor to execute code on the target server or client without the need for authentication. This vulnerable is “wormable” allowing it to spread from computer to computer within a network.
Technical detail and additional information
What is the threat?
A Remote Code Execution (RCE) vulnerability exists in the Microsoft Server Message Block (SMB) 3.1.1 protocol due to a buffer overflow in vulnerable servers. By supplying a specially crafted malicious packet, a remote, unauthenticated malicious actor can execute arbitrary code (within the context of the application). This vulnerability has also been identified as a “wormable” vulnerability, meaning that the attack is able to move from one machine to another quickly and autonomously.
Why is this noteworthy?
Microsoft regularly pushes security patches Tuesday; this is a patch released off the normal cycle increasing the urgency for this vulnerability.
The vulnerability exists in version 3.1.1 of SMB (the latest version of SMB), which is a common service that is used primarily to share files, printers, and other various resources on both local networks and the over internet. Any device, both server and end user, that uses this vulnerable SMB version is susceptible to this exploit. Experts may note that this exploit is on a surface level reminiscent of the infamous WannaCry and NotPetya exploits due to being both wormable and associated with SMB. However, it is important to note that SMB version 3 is significantly less pervasive than SMB version 1 was, and SMB is now more secure than it was at the time of WannaCry and NotPetya.
What is the exposure or risk?
When exploited, this vulnerability allows a malicious actor to execute any number of remote commands or arbitrary code (within the context of the application). The primary danger of this exploit, as with any SMB exploit, is the ability for an attacker to move laterally with ease. This means that compromising a single vulnerable Windows system can snowball quickly into any and all connected vulnerable Windows systems becoming compromised. As previously noted, SMB was used in exploits to distribute ransomware over a large breadth of vulnerable machines quickly after a single machine was compromised. Currently there is no actual exploit code being disseminated that could leverage this vulnerability, and due to target hardening of SMB there may not be viable exploitation attempts in the near future.
What are the recommendations?
SKOUT recommends installing the patch released by Microsoft that addresses the vulnerability.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.zdnet.com/google-amp/article/details-about-new-smb-wormable-bug-leak-in-microsoft-patch-tuesday-snafu/?__twitter_impression=true
- https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005
- https://arstechnica.com/information-technology/2020/03/windows-has-a-new-wormable-vulnerability-and-theres-no-patch-in-sight/
- https://www.reddit.com/r/msp/comments/fgr293/smbghost_remote_smbv3_vulnerabilty/
- https://en.wikipedia.org/wiki/Address_space_layout_randomization
If you have any questions, please contact our Security Operations Center.
