SMBv3 Remote Code Execution - CVE-2020-0796

[LividPanda]

A "potentially wormable" vulnerability exists in SMBv3 and specifically the compression. Information was accidentally released by Microsoft and then by Cisco Talos Intelligence on the below page but then taken down. The Microsoft page is now blank. Screenshot below the link. Due to its similarity to EternalBlue Twitter is already trying to call it CoronaBlue. Microsoft did not include a patch for it in the latest March 2020 Patch Tuesday. 

 

https://blog.talosintelligence.com/2020/03/microsoft-patch-tuesday-march-2020.html

 

 

Microsoft's blank page that will probably have helpful information at some point. This page now has a patch available.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

 

Additional information on FortiGuard Labs and Twitter.

 

https://fortiguard.com/encyclopedia/ips/48773

 

https://twitter.com/search?q=CVE-2020-0796&src=typed_query

 

Temporary remediation is to either disable SMBv3 or disable compression. Use common sense when following directions off Twitter to edit your registry or run PowerShell.

More better article: https://www.bleepingcomputer.com/news/security/microsoft-leaks-info-on-wormable-windows-smbv3-cve-2020-0796-flaw/

 

Upadate - Security Advisory from Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005

 

 

[Windows7ge]

Based off what I'm reading here I could see this being quite problematic for schools and universitys but most home owners don't host their own File Servers.

 

Never-the-less, something that aught to be patched.

[Master Disaster]

22 minutes ago, Windows7ge said:

Based off what I'm reading here I could see this being quite problematic for schools and universitys but most home owners don't host their own File Servers.

 

Never-the-less, something that aught to be patched.

Most NASes run on SMBv3, at least when configured for use with Windows.

[Windows7ge]

17 minutes ago, Master Disaster said:

Most NASes run on SMBv3, at least when configured for use with Windows.

I'm aware. I'm lumping in NAS's with File Servers since they serve a very similar function just with different features.

 

My point still stands, most people/home owners don't host their files on the local network. I would argue more people probably use OneDrive or other cloud hosting applications if they don't keep everything local. For this reason the overwhelming number of Windows users won't really be impacted by this.

 

There's also the matter that the hacker needs access to the LAN and to pick-out a network on the Internet that likely hasn't Port-Forwarded their NAS because they don't need it and the likelihood they get into a network that doesn't have a NAS anyways it this just further reduces the likelihood of being impacted.

 

You would have to have someone who is deliberately out to get you with inside knowledge of your network for there to be a realistic scenario where this could impact your average consumer. Even then if this failed they'd just try something different.

 

That's no excuse not to update Windows when a patch comes out though. More security the better.

[LividPanda]

17 minutes ago, Windows7ge said:

I'm aware. I'm lumping in NAS's with File Servers since they serve a very similar function just with different features.

 

My point still stands, most people/home owners don't host their files on the local network. I would argue more people probably use OneDrive or other cloud hosting applications if they don't keep everything local. For this reason the overwhelming number of Windows users won't really be impacted by this.

 

That's no excuse not to update Windows when a patch comes out though.

It is still unclear if a file server like a NAS needs to be involved at all. I realize the tweet in my post makes it sound that way but after further research it is really unclear. I would actually lean towards you just have to have SMBv3 enabled on your computer, exactly how EternalBlue worked. Which on some home computers on a network 445 could be open for any number of reasons and you throw in a person who likes to open up all their email attachments, you're going to have a bad time. It is worth noting EternalBlue was the method that was used to spread most of that cryptolocker malware. This could easily do the same thing. By the middle of next week I bet there will be some proof of concept exploit code on Github/Twitter.

[Windows7ge]

7 minutes ago, LividPanda said:

It is still unclear if a file server like a NAS needs to be involved at all. I realize the tweet in my post makes it sound that way but after further research it is really unclear. I would actually lean towards you just have to have SMBv3 enabled on your computer, exactly how EternalBlue worked. Which on some home computers on a network 445 could be open for any number of reasons and you throw in a person who likes to open up all their email attachments, you're going to have a bad time. It is worth noting EternalBlue was the method that was used to spread most of that cryptolocker malware. This could easily do the same thing. By the middle of next week I bet there will be some proof of concept exploit code on Github/Twitter.

The way I read the initial post I'm interpreting it as the hacker connects to the file server that uses SMB3 then intercepts the client as they connect not that the hacker can connect directly to the client.

 

If it's a direct peer-to-peer type attack that has the real potential of being more problematic. I don't know if by default with Network Discovery disabled if the SMB3 service is running since the Firewall blocks a lot of the LAN communication coming into the machine otherwise.

[Master Disaster]

33 minutes ago, VegetableStu said:

how topical, LOL

 

oh jeez, i use SMB to "airdrop" files between my laptop and my PC. should i be concerned? o_o

Its unclear if this exploit needs a server running SMB or can infect a machine directly if the SMB service is running (which it will be if Network Discovery is enabled on the machine).

 

Either way as long as the SMB port is blocked externally and you don't open sketchy attachments you'll probably be fine.

[Master Disaster]

1 hour ago, Windows7ge said:

The way I read the initial post I'm interpreting it as the hacker connects to the file server that uses SMB3 then intercepts the client as they connect not that the hacker can connect directly to the client.

 

If it's a direct peer-to-peer type attack that has the real potential of being more problematic. I don't know if by default with Network Discovery disabled if the SMB3 service is running since the Firewall blocks a lot of the LAN communication coming into the machine otherwise.

Yep, the tweet centainly implies that to be the case. The hacker hijacks the server then uses it to exploit clients.

 

Thinking it through that means NASes will be unaffected as they mostly use Unix based OSes anyway and wouldn't be running the Windows SMB service at all.

 

Also I don't see why anyone would open SMB up the the wider internet at all, schools certainly wouldn't need to, higher education facilities and businesses should be using VPN with encryption for remote access. Opening a fileserver to the internet is just asking for trouble.

[Windows7ge]

7 minutes ago, Master Disaster said:

Yep, the tweet centainly implies that to be the case. The hacker hijacks the server then uses it to exploit clients.

 

Thinking it through that means NASes will be unaffected as they mostly use Unix based OSes anyway and wouldn't be running the Windows SMB service at all.

So assuming a successful attack this mean remote code execution. I assume that means the skies the limit as far as what they could do to the client from there.

 

My knowledge of SAMBA is limited. I don't know how similar or dis-similar the code is that allows it and legit Windows SMB to communicate with each other. The exploit may or may not exist in each. Will need more information.

[Master Disaster]

1 minute ago, Windows7ge said:

So assuming a successful attack this mean remote code execution. I assume that means the skies the limit as far as what they could do to the client from there.

 

My knowledge of SAMBA is limited. I don't know how similar or dis-similar the code is that allows it and legit Windows SMB to communicate with each other. The exploit may or may not exist in each. Will need more information.

Agreed but if the exploit requires hijacking an SMB server I have a hard time imagining the same exploit also exists on a SAMBA server. That being said IIRC Microsoft do submit code to SAMBA so its not impossible.

[LividPanda]

Exploitable with an SMB Client or an SMB Server but there is an additional hoop to jump through to get RCE on an SMB client, which is good for those at home. It is rated critical by Microsoft. More information in the link below along with workarounds but still no patch.

 

Quote

To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005

 

 

[Lurick]

On 3/10/2020 at 8:30 PM, LividPanda said:

Exploitable with an SMB Client or an SMB Server but there is an additional hoop to jump through to get RCE on an SMB client, which is good for those at home. It is rated critical by Microsoft. More information in the link below along with workarounds but still no patch.

 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005

 

 

Patch has been released today as part of KB4551762

[LividPanda]

Kryptos Logic has a working DoS proof of concept that they demo'd on Twitter/Vimeo. They are purportedly going to release a blog post etc explaining some of the technical details now that Microsoft has released a patch. This will likely accelerate this being weaponized and used out in the wild. They've also done an internet wide scan.

Quote

We've just finished our first internet wide scan for CVE-2020-0796 and have identified 48000 vulnerable hosts. We'll be loading this data into Telltale for CERTs and organisations to action. We're also working on a blog post with more details (after patch).

https://twitter.com/kryptoslogic

 

Update:

Technical description of the vulnerability by 360 Core Security

http://blogs.360.cn/post/CVE-2020-0796.html

 

Update:

There is a PoC on Github that results in a DoS, BSOD's your computer. I've been unable to get it to work. Struggling with the python implementation of the LZNT1 compression algorithm.

[GoodBytes]

43 minutes ago, VegetableStu said:

double derp ,_,

 

check with the microsoft insider community. (i'll page @GoodBytes to see if he's aware. (sorry ,_,))

Microsoft is issuing a fix already.

If you can't wait, want it now, and hope for the best: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4551762
Pick the right OS and version, architecture you are on.