New SMBv3 bug on Windows has worm potential

Yesterday was the second Tuesday of the month, which means technology companies have released fixes for their products. However, Microsoft did not fix the new SMBv3 bug in Windows, which has worm potential.

Therefore, in March 2020, Microsoft engineers eliminated 115 vulnerabilities, noting that this set of updates was the largest in the history of the company.

Despite this, the update was not particularly distinguished by problems (as there were cases before), but perhaps not many users have already installed it.

Vulnerabilities were fixed in Windows, Edge, Internet Explorer, Exchange Server, Office, Azure DevOps, Windows Defender, Visual Studio, Dynamics. Most of the problems in one way or another affect Windows (79 different CVEs) as well as company browsers (18 different CVEs).

Of 115 errors, 26 received critical status, which means they are easy to use and, most likely, their use leads to a complete compromise of the device. However, none of the vulnerabilities were used for real attacks, and data on bugs were not publicly disclosed until the release of the patches.

Among the critical bugs are CVE-2020-0852, a remote code execution vulnerability in Word.

“Exploiting most of these problems in Office products implies that the user must open a specially crafted file. However, this is not required in this case: even a simple preview of a specially created file may allow the code to execute with the rights of the current logged-in user”, – explain Zero Day Initiative experts.

Another problem that has high chances of becoming popular among hackers is CVE-2020-0684. The vulnerability is associated with Windows LNK shortcut files and allows malware to execute code on the system, when Windows processes a malicious LNK file.

Despite released updates, remain critical vulnerabilities that possess interest to IS specialists. In particular, they are focused on the uncorrected problem CVE-2020-0796, the patch for which was not included in the “Tuesday of updates”.

The fact is that on the eve of the patches, Cisco Talos and Fortinet companies posted brief messages describing the vulnerability CVE-2020-0796 affecting SMBv3 (without technical details). Although after that all the companis was waiting for the release of the patch, this did not happen. Let me remind you that it was the SMB protocol helped spreading WannaCry and NotPetya around the world.

“The vulnerability is a buffer overflow on Microsoft SMB servers. The problem is reported to occur when the vulnerable software processes a maliciously crafted compressed data packet. A remote and unauthenticated attacker can use this to execute arbitrary code in the application context”, – say Fortinet experts.

A similar description of the problem was published and then removed from the Cisco Talos company blog. The company claimed that “exploiting the vulnerability opens up systems for attacks with worm potential,” meaning the problem could easily spread from one victim to another.

According to companies, only Windows 10 v1903, Windows10 v1909, Windows Server v1903 and Windows Server v1909 are vulnerable to the bug.

Fortunately, unlike the case with WannaCry and NotPetya, which used the available EternalBlue exploit, this time leaked only information about the error, but not exploit for it. Although the data on the problem was definitely published accidentally, and there is no patch yet, it’s still not worth waiting for attacks on a fresh bug.

Currently, Microsoft developers have been forced to publish a short security bulletin in which they told how to protect themselves from a new vulnerability until a patch is released. Users are advised to disable SMBv3 compression and block TCP port 445.