Security firms inadvertently leaked info about a 0-Day 'wormable' vulnerability found in the SMBv3 protocol.



UPDATE - 2020/03/13

Microsoft released the KB4551762 security update to patch the vulnerability: update ASAP!


After the release of Patch Tuesday fixes, Fortinet [2] and Cisco Talos [3] published information about a 'wormable' vulnerability found in the SMBv3 that may allows remote, unauthenticated attackers that exploit it to execute arbitrary code within the context of the application:

CVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to. Users are encouraged to disable SMBv3 compression and block TCP port 445 on firewalls and client computers. The exploitation of this vulnerability opens systems up to a "wormable" attack, which means it would be easy to move from victim to victim.

Cisco Talos

The security flaw, tracked as CVE-2020-0796, is not included with this month's March 2020 Patch Tuesday updates, and is unclear when it will be patched.

Researcher are coming up with their own theories regarding the malware and its severity, comparing it to EternalBlue, NotPetya, WannaCry, and started coming up with names for the vulnerability such as SMBGhost, DeepBlue 3: Redmond Drift, Bluesday, CoronaBlue, and NexternalBlue.


Which Windows versions are affected?

According to Microsoft’s advisory [1], vulnerability affects Windows 10 (versions 1903 and 1909) and Windows Server (1903 and 1909):

3. Are older versions of Windows (other than what is listed in the Security Updates table) affected by this vulnerability?

No, the vulnerability exists in a new feature that was added to Windows 10 version 1903. Older versions of Windows do not support SMBv3.1.1 compression.


How can I identify vulnerable hosts?

In the last hour, some researchers published various script useful to identify vulnerable hosts.

In a tweet, security researcher Florian Roth published a bash script using Nmap, useful to detect vulnerable servers:



Also ollypwn posted a python scanner on GitHub: https://github.com/ollypwn/SMBGhost

Then, a powershell version by sysgoblin:



Finally, a YARA rule to attempt to detect the SMBGhost packet, by LloydLabs:




Are there some mitigations?

According to Microsoft advisory [1], there is currently no workaround for mitigating the danger for SMB clients. On server systems, admins could:

  • Disable SMBv3 compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server, using thia powershell script:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

  • Block TCP port 445 at the enterprise perimeter firewall [4].

Claroty, on its GitHub account [5], has released a basic snort rule for detection of the SMB compressed communication by the SMB protocol identifier:

 ###############

# Rules by Claroty
# This rules will detect SMB compressed communication by the SMB protocol identifier. 

# The use of the offset and depth parameter is designed to prevent false positives and to allow the NetBios Layer

###############
alert tcp any any -> any 445 (msg:"Claroty Signature: SMBv3 Used with compression - Client to server"; content:"|fc 53 4d 42|"; offset: 0; depth: 10; sid:1000001; rev:1; reference:url,//blog.claroty.com/advisory-new-wormable-vulnerability-in-microsoft-smbv3;)

alert tcp any 445 -> any any (msg:"Claroty Signature: SMBv3 Used with compression - Server to client"; content:"|fc 53 4d 42|"; offset: 0; depth: 10; sid:1000002; rev:1; reference:url,//blog.claroty.com/advisory-new-wormable-vulnerability-in-microsoft-smbv3;) 


Additional readings


References

  1. ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression
  2. MS.SMB.Server.Compression.Transform.Header.Memory.Corruption
  3. Microsoft Patch Tuesday — March 2020: Vulnerability disclosures and Snort coverage
  4. Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate environment
  5. https://github.com/ClarotyICS