SoylentNews

DannyB [soylentnews.org] writes:

Windows has a new wormable vulnerability, and there’s no patch in sight [arstechnica.com]

^{Critical bug in Microsoft's SMBv3 implementation published under mysterious circumstances.}

Word leaked out on Tuesday of a new vulnerability in recent versions of Windows that has the potential to unleash the kind of self-replicating attacks that allowed the WannaCry and NotPetya worms to cripple business networks around the world.

The vulnerability exists in version 3.1.1 of the Server Message Block 3.1.1 that’s used to share files, printers, and other resources on local networks and over the Internet. Attackers who successfully exploit the flaw can execute code of their choice on both servers and end-user computers that use the vulnerable protocol, Microsoft said in this bare-bones advisory. [microsoft.com]

The flaw, which is tracked as CVE-2020-0796, affects Windows 10 and Windows Server 2019, which are relatively new releases that Microsoft has invested huge amounts of resources hardening against precisely these types of attacks. Patches aren’t available, and Tuesday’s advisory gave no timeline for one being released. Asked if there was a timeline for releasing a fix, a Microsoft representative said: “Beyond the advisory you linked, nothing else to share from Microsoft at this time.”

In the meantime, Microsoft said vulnerable servers can be protected by disabling compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. Users can use the following PowerShell command to turn off compression without needing to reboot the machine:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -ForceSet-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

That fix won’t protect vulnerable client computers from attack. Microsoft also recommended users block port 445, which is used to send SMB traffic between machines.

Now you see it, now you don't

An advisory published—and then removed—by security firm Fortinet described the vulnerability as “MS.SMB.Server.Compression.Transform.Header.Memory.Corruption.” The pulled advisory said the flaw is the result of a buffer overflow in vulnerable Microsoft SMB servers.

“The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet,” Fortinet researchers wrote. “A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.”

Cisco’s Talos security team also published—and later pulled—its own advisory. It called the vulnerability “wormable,” meaning a single exploit could touch off a chain reaction that allows attacks to spread from vulnerable machine to vulnerable machine without requiring any interaction from admins or users.

A patch should be available within one quarter of a galactic rotation. [wikipedia.org]

Original Submission