Critical Patch Released for

'Wormable' SMBv3 Vulnerability —

Install It ASAP!
March 12, 2020​Mohit Kumar

Microsoft today finally released software updates to patch a recently disclosed very
dangerous​ ​vulnerability in SMBv3 protocol​ that could let attackers launch ​wormable
malware​, which can propagate itself from one vulnerable computer to another
automatically.

The vulnerability, tracked as ​CVE-2020-0796​, in question is a remote code execution

flaw that impacts Windows 10 version 1903 and 1909, and Windows Server version
1903 and 1909.

Server Message Block (SMB), which runs over TCP port 445, is a network protocol
that has been designed to enable file sharing, network browsing, printing services,
and interprocess communication over a network.

The latest vulnerability, for which a patch update (​KB4551762​) is now available on the
Microsoft website, exists in the way SMBv3 protocol handles requests with
compression headers, making it possible for unauthenticated remote attackers to
execute malicious code on target servers or clients with SYSTEM privileges.

Compression headers is a feature that was added to the affected protocol of Windows
10 and Windows Server operating systems in May 2019, designed to compress the
size of messages exchanged between a sever and clients connected to it.
"To exploit the vulnerability against a server, an unauthenticated attacker could send
a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability
against a client, an unauthenticated attacker would need to configure a malicious
SMBv3 server and convince a user to connect to it," Microsoft said in the​ ​advisory​.

At the time of writing, there is only one known ​PoC exploit​ that exists for this critical
remotely exploitable flaw, but reverse engineering new patches could now also help
hackers find possible attack vectors to develop fully weaponized self-propagating
malware.

A separate team of researchers have also published a​ ​detailed technical analysis​ of

the vulnerability, concluding a kernel pool overflow as the root cause of the issue.

As of today, there are nearly​ ​48,000 Windows systems​ vulnerable to the latest SMB
compression vulnerability and accessible over the Internet.

Since a patch for the wormable SMBv3 flaw is now available to download for affected
versions of Windows, it's highly recommended for home users and businesses to
install updates as soon as possible, rather than merely relying on the mitigation.

In cases where immediate patch update is not applicable, it's advised to at least
disable SMB compression feature and block SMB port for both inbound and outbound
connections to help prevent remote exploitation.
Have something to say about this article? Comment below or share it with us on
Facebook​,​ ​Twitter​ or our​ ​LinkedIn Group