Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday June 08 2020, @05:13AM   Printer-friendly
from the this-is-my-shocked-face dept.

Exploit code for wormable flaw on unpatched Windows devices published online:

A researcher has published exploit code for a Microsoft Windows vulnerability that, when left unpatched, has the potential to spread from computer to computer with no user interaction.

So-called wormable security flaws are among the most severe, because the exploit of one vulnerable computer can start a chain reaction that rapidly spreads to hundreds of thousands, millions, or tens of millions of other vulnerable machines. The WannaCry and NotPetya exploits of 2017, which caused worldwide losses in the billions and tens of billions of dollars respectively, owe their success to CVE-2017-0144, the tracking number for an earlier wormable Windows vulnerability.

Also key to the destruction was reliable code developed by and later stolen from the National Security Agency and finally published online. Microsoft patched the flaw in March 2017, two months before the first exploit took hold.

Proof-of-concept exploit code for the new wormable Windows vulnerability was published on Monday by a Github user with the handle Chompie1337. The exploit isn't reliable and frequently results in crashes that present a BSOD, shorthand for the "blue screen of death" Windows displays during system failures. Regardless, the code still serves as a blueprint that, with more work, could be used to remotely compromise vulnerable machines and then spread.

"This has not been tested outside of my lab environment," the Github user wrote. "It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die."

[...] Reports of the vulnerability were disclosed and then quickly depublished by security firm Fortinet and Cisco security group Talos on March 10, the regularly scheduled Update Tuesday for that month. No one ever explained why the flaw details were released and then pulled. Two days later, Microsoft issued an unscheduled update that patched the vulnerability.

"We recommend customers install updates as soon as possible as publicly disclosed vulnerabilities have the potential to be leveraged by bad actors," Microsoft officials wrote in a statement on Friday. "An update for this vulnerability was released in March, and customers who have installed the updates, or have automatic updates enabled, are already protected."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by Mojibake Tengu on Monday June 08 2020, @07:06AM (1 child)

    by Mojibake Tengu (8598) on Monday June 08 2020, @07:06AM (#1004755) Journal

    No one ever explained why the flaw details were released and then pulled.

    Fortinet is a major firewall maker. They did it for the purpose to enhance their own business.
    There, I "the no one ever" just did the thinking for you.

    Anyway, SMBv3 featuring remote DMA craziness looks like a fine recipe for a disaster on other platforms:
    https://en.wikipedia.org/wiki/Remote_direct_memory_access [wikipedia.org]
    https://en.wikipedia.org/wiki/Server_Message_Block#SMB_3.0 [wikipedia.org]

    Both Red Hat Enterprise Linux and Red Hat Enterprise MRG[9] have support for RDMA. Microsoft supports RDMA in Windows Server 2012 via SMB Direct.

    A design backdoor on hardware, I say. And Huawei was ostrakized for not providing this to western spooks in their network hardware.

    --
    Respect Authorities. Know your social status. Woke responsibly.
    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 0) by Anonymous Coward on Monday June 08 2020, @08:44PM

    by Anonymous Coward on Monday June 08 2020, @08:44PM (#1004991)

    Remote DMA is a NIC / ethernet capability that SMB builds upon - it neither defines nor implements it. (This seems like a good intro: https://www.samba.org/~metze/presentations/2018/SDC/StefanMetzmacher_SDC2018-SMB-Direct-Status-rev1-presentation.pdf) [samba.org] Now the NIC should only have access to specifically shared memory regions, but you'd have to audit the implementation (hardware / OS ?) to verify that.