Hackers Targeting Unpatched Windows Systems with Proof-of-Concept Code for SMB Vulnerability
As part of Patch Tuesday in March, Microsoft released a security advisory detailing a remote code execution (RCE) flaw in Server Message Block (SMB) version 3.1.1. SMB is the protocol Windows uses for shared network access to file servers, printers, and serial ports. The bug could let an attacker exploit the way SMBv3 handles requests to run code on a target SMB Server or SMB Client.
Microsoft considered the issue serious enough to release an out-of-band patch (KB4551762) to fix the vulnerability later the same month. The bug, which is sometimes referred to as SMBGhost, only affects Windows 10 versions 1903 and 1909. Microsoft said:
To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
CISA warns about attacks on unpatched Microsoft systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a warning June 5th that unpatched Microsoft systems could be vulnerable to SMBGhost (CVE-2020-0796). CISA is aware of functional, publicly available proof-of-concept (Poc) code that exploits SMBGhost in unpatched systems.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
CISA goes on to say that hackers are targeting unpatched Microsoft systems with the new code. In addition to making sure that SMB ports are not exposed to the public Internet, system administrators should apply KB4551762 to vulnerable systems as soon as possible.
SMB compression flaw
SMBGhost is a buffer overflow vulnerability in the SMB Server component of Windows. Unpatched systems are vulnerable to ‘wormable’ attack. That means the bug could be used to move laterally from one device to another. Much in the same way that WannaCry and NotPetya infected thousands of systems around the world in 2017.
It’s not clear whether the patch disables SMB compression or fixes the bug. But Microsoft says that while newer versions of Windows 10 support SMB compression, it is not used by Windows. So, disabling SMB compression has no negative impact. But as with all updates, you should test it before deploying the patch to production systems.
How to get the SMBGhost update?
The update applies to Windows 10 1903, 1909, and Windows Server 1903 and 1909. Windows Server 2016 and Windows Server 2019 are not affected by this vulnerability. Older versions of Windows are also not affected because they don’t support SMB compression.
The update is available via the usual channels: Windows Update and Microsoft Update; Microsoft Update Catalog; Windows Server Update Services (WSUS).
The Microsoft Update Catalog can be used to download the update as a standalone package. Organizations using WSUS will see the updated synchronized automatically if product category Windows 10, version 1903 and later security updates are enabled.