CVE-2020-0796 – A “wormable” Remote Code Execution vulnerability in SMB v3

Since last two days, the Internet is rife with news around a critical remote code execution vulnerability in SMBv3.1.1 compression mechanism. Today, on 12th March 2020 Microsoft has released an emergency out-of-band patch to address this vulnerability.

As per Microsoft release information, it’s a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.

To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. We advise customers to disable SMB access to their Windows hosts from unknown/public IP addresses unless it’s necessary.

To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it. We advise customers to refrain from accessing untrusted SMB shares or files hosted on such untrusted SMB shares.

The facts that remote code execution is possible, and authentication is not required makes this vulnerability very critical. But, though this vulnerability is being compared with an old infamous SMB v1 vulnerability “CVE-2017-0144” which was used in WannaCry, we don’t have any data to ascertain this as of now. Microsoft has acknowledged this vulnerability finding to “Microsoft Platform Security Assurance & Vulnerability Research” team and mentioned that it’s not publicly exploited as on 12th March 2020. Though there are few scanner scripts available online, which can tell if a host is vulnerable to this vulnerability, no public exploits are available for it at the time of publishing this advisory.

All Quick Heal and Seqrite customers are protected against attacks exploiting this vulnerability through our IPS rules. To keep their hosts secure, we urge all our customers to keep your Quick Heal / Seqrite products’ virus definitions up-to-date. Additionally, as per the best practices, apply Microsoft’s official patches as early as possible.



No Comments, Be The First!

Your email address will not be published.