DHS CISA: Threat Actors Targeting Unpatched Microsoft Windows Flaw

June 08, 2020 - Threat actors are actively targeting an unpatched critical vulnerability found in certain Microsoft Windows systems with a new, publicly available proof-of-concept (POC) code, according to a recent alert from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency.

In March, Microsoft inadvertently disclosed a critical flaw known as CVE-2020-0796 without a patch but quickly provided a fix just two days later.

The remote code execution vulnerability is found in the Microsoft Server Message Block 3.1.1 (SMBv3) in all Windows 10 platforms and Windows Server versions 1903 and 1909. The flaw is not found in earlier platforms, as it’s a new feature used in Windows 10 versions.

The vulnerability is tied to the way the protocol handles some requests. A successful exploit would allow a hacker to execute arbitrary code on the SMB Server or Client, with researchers warning the flaw is wormable, or able to proliferate from one vulnerable machine to the next.

“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server,” Microsoft warned, at the time. “To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

Despite Microsoft's release of a patch just two days after disclosing the flaw, many systems remain vulnerable. It’s notable, as the healthcare sector struggles with maintaining up-to-date patch policies and rely on a host of vulnerable, legacy systems, particularly those found in medical devices.

According to CISA, there is a publicly available and functional POC code able to exploit the CVE-2020-0796 vulnerability in unpatched systems, which hackers are using to target these systems.

As a result, organizations are being urged to apply the patch provided by Microsoft in early March, as well as ensuring patches have been applied to all critical- and high-severity vulnerabilities. CISA also recommends administrators implement a firewall to block SMB ports from the internet.

Administrators should also review the security guidance provided by Microsoft to apply any workarounds. Researchers stressed that the best-case scenario would be to apply the system updates.

If not possible, administrators could disable compression using a simple PowerShell command, which will block unauthorized attackers from exploiting the SMB flaw. Compression is not yet used by Windows or Windows Server, which means the workaround will not negatively impact performance.

While no reboot is needed for the workaround, Microsoft warned that this method would not prevent an exploit of SMB clients. To mitigate network vulnerabilities, organizations must block the TCP port 445 at the enterprise perimeter firewall. The TCP port 445 is used to initiate a connection with the impacted SMB component.

“Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter,” Microsoft warned, at the time.

“Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks,” they added. “However, systems could still be vulnerable to attacks from within their enterprise perimeter.”

Administrators should also review Microsoft’s insights on preventing SMB traffic from lateral connections, or from entering or leaving the network.