Next Wannacry Like Attack Looming?

itman · Mar 11, 2020

Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw

Microsoft leaked info on a security update for a 'wormable' pre-auth remote code execution vulnerability found in the Server Message Block 3.0 (SMBv3) network communication protocol that reportedly should have been disclosed as part of this month's Patch Tuesday.

The vulnerability is due to an error when the SMBv3 handles maliciously crafted compressed data packets and it allows remote, unauthenticated attackers that exploit it to execute arbitrary code within the context of the application.

Desktop and server Windows 10 versions impacted
Devices running Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation) are impacted by this vulnerability according to a Fortinet advisory, although more versions should be affected given that SMBv3 was introduced in Windows 8 and Windows Server 2012.

"An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to," Cisco Talos explained in their Microsoft Patch Tuesday report — this was later removed by the Talos security experts.

"The exploitation of this vulnerability opens systems up to a 'wormable' attack, which means it would be easy to move from victim to victim," they also added.

Fortinet says that upon successful exploitation, CVE-2020-0796 could allow remote attackers to take full control of vulnerable systems.

Due to Microsoft's secrecy, people are coming up with their own theories regarding the malware and its severity, some comparing it to EternalBlue, NotPetya, WannaCry, or MS17-010 (1, 2).

Others have already started coming up with names for the vulnerability such as SMBGhost, DeepBlue 3: Redmond Drift, Bluesday, CoronaBlue, and NexternalBlue.

Available CVE-2020-0796 mitigations
Until Microsoft will release a security update designed to patch the CVE-2020-0796 RCE vulnerability, Cisco Talos shared that disabling SMBv3 compression and blocking the 445 TCP port on client computers and firewalls should block attacks attempting to exploit the flaw.

Although an official way of disabling SMBv3 compression was not shared by Microsoft, Foregenix Solutions Architect Niall Newman was able to find after analyzing the Srv2.sys file that it can be done by:

1. Going to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters
2. Creating a DWORD value called CompressionEnabled
3. Setting its value to 0.
While no proof-of-concept exploits have been released yet for this wormable SMBv3 RCE, we recommend implementing the mitigation measures shared by Cisco Talos until Microsoft will release an out-of-cycle security update to fix it seeing that almost all the info is out anyway.

BleepingComputer has reached out to Microsoft for more details but had not heard back at the time of this publication.

If you're Microsoft you basically have little choice now but to release the patch for 2020-0796 out-of-cycle as soon as it meets quality standards, right? There's too much info out there to just hope somebody won't find it before April.

Fun times for sysadmins everywhere.

— Brian in Pittsburgh (@arekfurt) March 10, 2020
Click to expand...

https://www.bleepingcomputer.com/ne...on-wormable-windows-smbv3-cve-2020-0796-flaw/

itman · Mar 11, 2020

Per above linked bleepingcomputer.com article.

Update: Microsoft published a security advisory with details on how to disable SMBv3 compression to protect servers against exploitation attempts.

You can disable compression on SMBv3 servers with this PowerShell command (no reboot required, does not prevent the exploitation of SMB clients):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

What steps can I take to protect my network?

1. Block TCP port 445 at the enterprise perimeter firewall

TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

2. Follow Microsoft guidelines to prevent SMB traffic leaving the corporate environment

Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate environment
Click to expand...

guest · Mar 11, 2020

"...this bug likely won’t lead to “WannaCry 2.0.”
Wormable, Unpatched Microsoft Bug Threatens Corporate LANs
March 11, 2020
https://threatpost.com/wormable-unpatched-microsoft-bug/153632/

“Considering that SMBv3 is not as widely used as SMBv1, the potential immediate impact of this threat is most likely lower than past vulnerabilities,” Richard Melick, senior technical product manager at Automox, told Threatpost.
Jake Williams, founder of security firm Rendition Security, said on Twitter that the risk of exploitation is mitigated by kernel protections – specifically kernel address space layout randomization (KASLR).
“Core SMB sits in kernel space and KASLR is great at mitigating exploitation,” tweeted Williams. “Assuming this is kernel space, any unsuccessful exploitation results in [the blue screen of death] BSOD.”
Click to expand...

So far, there’s no evidence that the vulnerability had been exploited in the wild, Microsoft said in the advisory. However, Melick said to proceed with caution.

“There are still too many unknowns to say how effective this wormable vulnerability could be; is it going to be as easy as EternalBlue to implement or will it have the same difficulties as BlueKeep?”
[...] Microsoft noted that administrators can use PowerShell to disable SMBv3 compression, which will block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server.
To protect clients from outside attacks, it’s necessary to block TCP port 445 at the enterprise perimeter firewall.
Click to expand...

itman · Mar 11, 2020

Impact

By connecting to a vulnerable Windows machine using SMBv3, or by causing a vulnerable Windows system to initiate a client connection to a SMBv3 server, a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Click to expand...

https://kb.cert.org/vuls/id/872016/

itman · Mar 11, 2020

Jake Williams, founder of security firm Rendition Security, said on Twitter that the risk of exploitation is mitigated by kernel protections – specifically kernel address space layout randomization (KASLR).
“Core SMB sits in kernel space and KASLR is great at mitigating exploitation,” tweeted Williams. “Assuming this is kernel space, any unsuccessful exploitation results in [the blue screen of death] BSOD.”
Click to expand...

This is rubbish talk. Case in point: https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/

itman · Mar 12, 2020

How does SMBGhost work?

An attacker could gain the ability to execute code on a target SMB server or client. The Microsoft advisory says, “To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.

To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.” This means if the attacker can reach the SMBv3 server they can execute the code, but SMB client requires them to connect to a malicious SMBv3 Server, so properly training the employees on recognizing common social hacking can help mitigate it a little bit.
Click to expand...

https://www.pdq.com/blog/cve-2020-0796/

guest · Mar 12, 2020

48K Windows Hosts Vulnerable to SMBGhost CVE-2020-0796 RCE Attacks
March 13, 2020
https://www.bleepingcomputer.com/ne...erable-to-smbghost-cve-2020-0796-rce-attacks/

After an Internet-wide scan, researchers at cybersecurity firm Kryptos Logic discovered roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the pre-auth remote code execution CVE-2020-0796 vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3).
DoS proof-of-concept already demoed
They also shared a demo video of a denial-of-service proof-of-concept exploit developed by researcher Marcus Hutchins (aka MalwareTech).

"The SMB bug appears trivial to identify, even without the presence of a patch to analyze," according to Kryptos Logic which means that malicious actors might soon be able to develop their own CVE-2020-0796 exploits.
While no malicious scans for Windows 10 hosts without mitigations put in place haven't yet been detected, the fact that PoC exploits have already been developed and the bug is so easy to analyze that it could lead to malicious attacks soon.
Click to expand...

We've just finished our first internet wide scan for CVE-2020-0796 and have identified 48000 vulnerable hosts. We'll be loading this data into Telltale for CERTs and organisations to action. We're also working on a blog post with more details (after patch).
— Kryptos Logic (@kryptoslogic) March 12, 2020
Click to expand...

Sampei Nihira · Mar 12, 2020

KB4551763 patch available.

guest · Mar 13, 2020

SMBGhost – Analysis of CVE-2020-0796
March 12, 2020
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796/

The latest vulnerability in SMBv3 is a “wormable” vulnerability given its potential ability to replicate or spread over network shares using the latest version of the protocol (SMB 3.1.1). As of this writing, Microsoft have just released a patch for CVE-2020-0796 on the morning of March 12th. The bug was introduced very recently, in the decompression routines for SMBv3 data payloads. The code implementing this was deployed in April 2019 for Version 1903 and November 2019 for version 1909.
Click to expand...

The vulnerability occurs during the processing of a malformed compressed message. [...]
Exposure
As always, this kind of patch should be applied as soon as possible, subject to organizational policy. While there are currently no known exploits in the wild, as you will see, causing a BSOD (blue screen of death), is quite trivial, and remains a highly effective attack method for disruption if an attacker can gain access to an internal network.
Impact – BSOD vs. RCE
Getting a Blue Screen of Death or BSOD is a straightforward exercise. Pivoting from that to full remote code execution will likely be more challenging, as additional bugs will likely be required to bypass Windows’ latest mitigation techniques, such as Kernel ASLR or KASLR.
Click to expand...

guest · Apr 1, 2020

SMBGhost Vulnerability Allows Privilege Escalation on Windows Systems
April 1, 2020
https://www.securityweek.com/smbghost-vulnerability-allows-privilege-escalation-windows-systems

In attacks aimed at SMB servers, the attacker needs to send specially crafted packets to the targeted system. In the case of clients, the attacker has to convince the targeted user to connect to a malicious SMBv3 server.

A PoC for remote code execution has yet to be made public, but cybersecurity firm ZecOps has developed and released a PoC that shows how SMBGhost can be exploited to escalate privileges to SYSTEM.
Researchers Daniel García Gutiérrez and Manuel Blanco Parajón have also made available a PoC that exploits SMBGhost to escalate privileges to SYSTEM.
Click to expand...

ZecOps has also published a blog post with the technical details for local privilege escalation.
Click to expand...

guest · Apr 7, 2020

Azure ATP now detects SMBGhost
April 6, 2020
https://techcommunity.microsoft.com...y/azure-atp-now-detects-smbghost/ba-p/1281568

The SMB vulnerability CVE-2020-0796, also known as “SMBGhost” or “CoronaBlue”, was published a few days ago. This CVE is about a potential remote code execution due to a buffer overflow vulnerability in the way SMBv3 (3.1.1) handles SMBv2 compression requests. The vulnerability affects Windows 10 and Windows Server 2019 versions 1903 and 1909.

The vulnerability has the potential to become widely spread, similar to the way EternalBlue exploited the SMB protocol in 2017. It’s important to protect critical Windows servers by installing a patch, KB4551762, or following other suggested mitigations and workarounds.
In addition, to help our customers stay secure, we are releasing a new Azure ATP detection that looks for use of this vulnerability on unpatched Domain Controllers. The detection identifies crafted packets attempting to exploit SMBv3.
Click to expand...

guest · Apr 20, 2020

Windows 10 SMBGhost RCE exploit demoed by researchers
April 10, 2020
https://www.bleepingcomputer.com/ne...0-smbghost-rce-exploit-demoed-by-researchers/

A proof-of-concept remote code execution (RCE) exploit for the Windows 10 CVE-2020-0796 'wormable' pre-auth remote code execution vulnerability was developed and demoed today by researchers at Ricerca Security.

Some information on SMBGhost was leaked during last month's Patch Tuesday after being accidentally published by a number of security vendors part of Microsoft Active Protections Program despite Microsoft's decision to hold on to the info and not issuing a security advisory.
"An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client," Microsoft explains.
Click to expand...

DoS, LPE, and now an RCE PoC exploit
After a number of proofs-of-concept (PoC) exploits surfaced, including a denial-of-service one developed by Kryptos Logic security researcher Marcus Hutchins, Microsoft released security patches for all affected platforms on March 12.

"However, while there have already been many public reports and PoCs of LPE (Local Privilege Escalation), none of them have shown that RCE is actually possible so far," Ricerca Security researchers said today.
If patching all vulnerable systems wasn't urgent enough until now, Ricerca Security today demoed a PoC RCE exploit for SMBGhost and published a write-up with all the technical details behind it, after tweeting a teaser a week ago.
Click to expand...

For the time being though, Ricerca Security has decided not to share their RCE PoC exploit publicly to avoid having it fall in the wrong hands.
Click to expand...

guest · Jun 5, 2020

Windows 10 SMBGhost bug gets public proof-of-concept RCE exploit
June 5, 2020
https://www.bleepingcomputer.com/ne...bug-gets-public-proof-of-concept-rce-exploit/

Working exploit code that achieves remote code execution on Windows 10 machines is now publicly available for CVE-2020-0796, a critical vulnerability in Microsoft Server Message Block (SMB 3.1.1).

SMBGhost affects Windows 10 versions 1909 and 1903, including Server Core. Microsoft patched it in March, warning that exploitation is “more likely” on both older and newer software releases and that it is as critical as can be: maximum severity score of 10.
Exploit code for SMBGhost
After the vulnerability leaked in March, security researchers started to find a way to exploit SMBGhost but the results were limited to local privilege escalation (LPE) and denial of service (blue screen).

Almost three months since Microsoft released the patch, a security researcher using the Twitter handle Chompie shared publicly a version of the SMBGhost RCE.
Click to expand...

Her code is not 100% reliable and the purpose is to help others expand their knowledge in the reverse-engineering area. “It was written quickly and needs some work to be more reliable,” the researcher states in the readme file.
Chompie told us that it works best on Windows 10 1903 and that many individuals were able to exploit the bug successfully on this version.

"The existence of this read primitive makes exploitation more straightforward. But because it depends on DMA of tcpip I have achieved inconsistent results that warrant more research," she told us
Click to expand...

guest · Jun 9, 2020

SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol
June 9, 2020
https://thehackernews.com/2020/06/SMBleed-smb-vulnerability.html

Cybersecurity researchers today uncover a new critical vulnerability affecting the Server Message Block (SMB) protocol that could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed "wormable" bug, the flaw can be exploited to achieve remote code execution attacks.

Dubbed "SMBleed" (CVE-2020-1206) by cybersecurity firm ZecOps, the flaw resides in SMB's decompression function — the same function as with SMBGhost or EternalDarkness bug (CVE-2020-0796), which came to light three months ago, potentially opening vulnerable Windows systems to malware attacks that can propagate across networks.
Click to expand...

According to ZecOps researchers, the flaw stems from the way the decompression function in question ("Srv2DecompressData") handles specially crafted message requests (e.g., SMB2 WRITE) sent to a targeted SMBv3 Server, allowing an attacker to read uninitialized kernel memory and make modifications to the compression function.

"The message structure contains fields such as the amount of bytes to write and flags, followed by a variable-length buffer," the researchers said. "That's perfect for exploiting the bug since we can craft a message such that we specify the header, but the variable-length buffer contains uninitialized data."

Microsoft's security guidance addressing SMBleed and SMBGhost in Windows 10 version 1909 and 1903 and Server Core for the same versions can be found here and here.
Click to expand...

Minimalist · Oct 28, 2020

Microsoft’s SMBGhost Flaw Still Haunts 108K Windows Systems

More than 100,000 Windows systems have not yet been updated to protect against a previously-patched, critical and wormable flaw in Windows called SMBGhost.
Click to expand...

https://threatpost.com/microsofts-smbghost-flaw-108k-windows-systems/

Log in or Sign up

Next Wannacry Like Attack Looming?

itman Registered Member

itman Registered Member

guest Guest

itman Registered Member

itman Registered Member

itman Registered Member

guest Guest

Sampei Nihira Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

Log in or Sign up

Next Wannacry Like Attack Looming?

itman Registered Member

itman Registered Member

guest Guest

itman Registered Member

itman Registered Member

itman Registered Member

guest Guest

Sampei Nihira Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

Useful Searches