Microsoft discloses wormable SMBv3 flaw without a patch

A wormable vulnerability has been revealed in Microsoft's Server Message Block protocol, but there's no patch in sight.

Microsoft's Platform Security Assurance & Vulnerability Research team disclosed the new remote code execution vulnerability (CVE-2020-0796) associated with the Microsoft Server Message Block 3.1.1 (SMBv3) protocol and how it handles certain requests.

Update: Microsoft Thursday issued patches for the SMBv3 vulnerability. The company also said the vulnerability has not yet been exploited by threat actors in the wild.

"An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client," Microsoft's security advisory said. "To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it."

Microsoft revealed the critical SMBv3 flaw on Patch Tuesday, which saw updates for 115 unique vulnerabilities; however, unlike those vulnerabilities, the SMBv3 flaw did not received a patch. Previous vulnerabilities in Windows Server Message Block (SMB) have been used by attackers before, most notably in the WannaCry ransomware attacks.

Microsoft said it would inform users when security updates for the flaw are available. In the meantime, the company encourages users to disable SMBv3 compression and block TCP port 445. The company declined SearchSecurity's request for further comment, offering only a link to the security advisory.

"I expect it to be very difficult [to exploit the flaw]," said Jake Williams, founder of cybersecurity firm Rendition Infosec. "I think it's going to be a viable denial-of-service exploit, meaning [threat actors] will be able to cause a crash, which is obviously bad, but that's not code execution. That's what most people consider quote-unquote exploitation. So, for it to be wormable you're going to have to have code execution, and that is going to be very nontrivial to do, I suspect."

Cisco Talos published a post on Patch Tuesday that referenced the SMBv3 flaw, but the company later removed that section of the post.

"CVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to. Users are encouraged to disable SMBv3 compression and block TCP port 445 on firewalls and client computers. The exploitation of this vulnerability opens systems up to a "wormable" attack, which means it would be easy to move from victim to victim," the post originally said.

A Cisco Talos spokesperson said the blog post was published accidentally and then revised but did not explain why the information about the SMBv3 vulnerability was removed.

"On March 10, information on an in-process effort was inadvertently posted and then promptly deleted from the Talos blog because it was not finalized," the spokesperson wrote in an email. "As a matter of policy, we do not discuss research that has not yet been approved for public disclosure. We are aware that this may have caused some confusion and will follow up when we have more to offer."