A Vulnerability in Microsoft Windows SMB Server Could Allow for Remote Code Execution

Summary

A vulnerability has been discovered in Microsoft Windows SMB Server that could allow for remote code execution. Microsoft Server Message Block (SMB) is a network file sharing protocol that allows users or applications to request files and services over the network. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the account running the SMB server and client processes. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Threat Intelligence

On March 12, 2020, Microsoft released patches for CVE-2020-0796 for the affected systems. The security firm Kryptos Logic has provided video evidence of a denial of service attack utilizing the vulnerability and various scanners for the vulnerability are available on GitHub.

On June 5, 2020, there were reports of a publicly available proof of concept exploit for CVE-2020-0796, with active exploitations against unpatched systems being reported in the wild.

Systems Affected

• Windows 10 Version 1903 for 32-bit Systems
• Windows 10 Version 1903 for ARM64-based Systems
• Windows 10 Version 1903 for x64-based Systems
• Windows 10 Version 1909 for 32-bit Systems
• Windows 10 Version 1909 for ARM64-based Systems
• Windows 10 Version 1909 for x64-based Systems
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)

Risk

Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium government entities: High
  Small government entities: Medium

Home Users: Low

Technical Summary

A vulnerability has been discovered in Microsoft Windows SMB Server that could allow for remote code execution. This vulnerability is due to an error in handling maliciously crafted compressed data packets within version 3.1.1 of Server Message Blocks. To exploit this vulnerability, an attacker can send specially crafted compressed data packets to a target Microsoft Server Message Block 3.0 (SMBv3) server. Clients who connects to the malicious SMB server would then also be impacted. Microsoft Server Message Block (SMB) is a network file sharing protocol that allows users or applications to request files and services over the network.

Recommendations

We recommend the following actions be taken:

• Apply the patches provided by Microsoft after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Remind users not to visit websites or follow links provided by unknown or untrusted sources.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
• Apply the Principle of Least Privilege to all systems and services.

References

Microsoft

CVE

Bleeping Computer

US CERT

Reporting

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form by clicking here.

Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions.