Microsoft Alerts to Critical SMB Remote Code Flaw, Issues Patch
The tech giant is recommending organizations disable the SMBv3 compression, after inadvertently disclosing a critical remote code vulnerability on Patch Tuesday; Microsoft just issued a patch.
By - The Department of Homeland Security Cybersecurity Agency is urging organizations to review a Microsoft security advisory regarding a critical SMB remote code vulnerability, after the tech giant inadvertently disclosed the flaw without a patch.
Fortunately, two days later, Microsoft has just issued a patch.
The CVE-2020-0796 flaw is found in the Microsoft Server Message Block 3.1.1 (SMBv3) of all Windows 10 platforms and Windows Server versions 1903 and 1909. Older platforms are not impacted, as the flaw is found in a new feature installed in Windows 10 versions.
The remote code execution vulnerability is related to the way the protocol handles some requests. If successfully exploited, an attacker would be able to execute arbitrary code on the target SMB Server or Client. Researchers have warned the flaw is wormable.
“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server,” Microsoft warned. “To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
In response, Microsoft provided several workarounds to protect systems until the patch was distributed. While the patch has been released, many in healthcare often struggle with updating systems and should therefore employ the workarounds until they are able to patch the critical flaw.
These workarounds include disabling the SMBv3 compression to block unauthorized actors from exploiting the flaw using a Powershell command outlined in the advisory. However, this mitigation is not effective for SMB Clients.
Organizations can also block the TCP port 445 at the perimeter firewall, which will help protect systems that are behind that firewall from attempts to exploit this vulnerability.
“This can help protect networks from attacks that originate outside the enterprise perimeter,” Microsoft explained. “Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.”
Microsoft also urges organizations to prevent SMB traffic from lateral connections and entering or leaving the network, which can be accomplished through the perimeter firewall, Windows Defender firewall, or by disabling the Server or Workstation services.
This is the second security advisory from CISA regarding critical Microsoft flaws within the last week. A critical vulnerability found in the Microsoft Exchange servers are being actively targeted by APT hacking groups. A successful exploit would give a hacker the ability to remotely install code with elevated privileges.
It’s also the second wormable flaw reported by the tech giant in the last year. The BlueKeep remote desktop flaw received multiple alerts in 2019, as hackers targeted vulnerable systems with cryptocurrency attacks.
As noted, industry stakeholders have repeatedly stressed that many healthcare providers still struggle with applying patches in a timely manner, given inventory issues and the number of connected devices on any given hospital network.
For those providers, segmentation is often an effective way to take vulnerable devices either offline or separate them from the main network.
