Hackers Targeting Unpatched Windows Systems with Proof-of-Concept Code for SMB Vulnerability
As part of Patch Tuesday in March, Microsoft released a security advisory detailing a remote code execution (RCE) flaw in Server Message Block (SMB) version 3.1.1. SMB is the protocol Windows uses for shared network access to file servers, printers, and serial ports. The bug could let an attacker exploit the way SMBv3 handles requests to run code on a target SMB Server or SMB Client.
Microsoft considered the issue serious enough to release an out-of-band patch (KB4551762) to fix the vulnerability later the same month. The bug, which is sometimes referred to as SMBGhost, only affects Windows 10 versions 1903 and 1909. Microsoft said:
To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
CISA warns about attacks on unpatched Microsoft systems
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a warning June 5th that unpatched Microsoft systems could be vulnerable to SMBGhost (CVE-2020-0796). CISA is aware of functional, publicly available proof-of-concept (Poc) code that exploits SMBGhost in unpatched systems.
CISA goes on to say that hackers are targeting unpatched Microsoft systems with the new code. In addition to making sure that SMB ports are not exposed to the public Internet, system administrators should apply KB4551762 to vulnerable systems as soon as possible.
SMB compression flaw
SMBGhost is a buffer overflow vulnerability in the SMB Server component of Windows. Unpatched systems are vulnerable to ‘wormable’ attack. That means the bug could be used to move laterally from one device to another. Much in the same way that WannaCry and NotPetya infected thousands of systems around the world in 2017.
It’s not clear whether the patch disables SMB compression or fixes the bug. But Microsoft says that while newer versions of Windows 10 support SMB compression, it is not used by Windows. So, disabling SMB compression has no negative impact. But as with all updates, you should test it before deploying the patch to production systems.
How to get the SMBGhost update?
The update applies to Windows 10 1903, 1909, and Windows Server 1903 and 1909. Windows Server 2016 and Windows Server 2019 are not affected by this vulnerability. Older versions of Windows are also not affected because they don’t support SMB compression.
The update is available via the usual channels: Windows Update and Microsoft Update; Microsoft Update Catalog; Windows Server Update Services (WSUS).
The Microsoft Update Catalog can be used to download the update as a standalone package. Organizations using WSUS will see the updated synchronized automatically if product category Windows 10, version 1903 and later security updates are enabled.
More in Windows Server
Microsoft to Fix Windows Bug Breaking Wi-Fi hotspots After Installing Latest Patch Tuesday Update
Jun 17, 2022 | Rabia Noureen
Microsoft Confirms Windows Server Backup Issues in This Month's Patch Tuesday Updates
Jun 16, 2022 | Rabia Noureen
Microsoft Acknowledges Office Zero-Day Flaw Affecting Windows Diagnostic Tool
May 31, 2022 | Rabia Noureen
Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft Confirms May 2022 Patch Tuesday Updates Cause AD Authentication Issues
May 12, 2022 | Rabia Noureen
Most popular on petri