News

Microsoft Issues Security Advisory on 'Critical' SMB 3 Flaw in Windows Systems

• By Kurt Mackie
• 03/11/2020

Microsoft issued Security Advisory ADV200005 on late Tuesday about a "Critical"-rated Server Message Block (SMB) 3.1.1 vulnerability.

The vulnerability is currently present in newer supported Windows client and server systems, namely versions 1903 and 1909 of Windows 10 and Windows Server. Microsoft's somewhat late-posted announcement was acknowledged by the U.S. Department of Homeland Security's CISA group in a Wednesday announcement.

No Patch
Currently, there's no patch for this SMB 3 vulnerability, only a workaround for "disabling SMBv3 compression." Microsoft recommends applying the workaround, although it's just for Windows server and doesn't protect Windows clients.

It's possible that Microsoft had a patch prepared for this month's security patch release, but pulled it, since two of its security solution partners (Cisco and Fortinet) had described the flaw (dubbed "CVE-2020-0796") on Tuesday before later deleting the text.

An exploit of the SMB 3 vulnerability, which could enable remote code execution on a network, can be triggered by sending a "specially crafted packet to a targeted SMBv3 Server." The exploit also can be triggered on Windows clients by convincing users to connect to "a malicious SMBv3 Server," Microsoft's advisory explained.

Block Port 445
Microsoft's advisory on SMB 3 contains a link to a related support article that offers details on how to limit SMB connections, principally by blocking Port 445 connections, both from and to the Internet.

"It is unlikely that any SMB communication originating from the internet or destined for the internet is legitimate," the support article indicated, although sometimes SMB is used with the Azure Files service via specific endpoint configurations, it added. The article was written by Ned Pyle, a principal program manager at Microsoft focused on Windows and SMB, as identified in this Twitter post.

The support article defined SMB as "a network file sharing and data fabric protocol" that's used by various operating systems, "including Windows, MacOS, iOS, Linux and Android." This SMB traffic can be protected at the firewall level, though.

"Firewall best practices and configurations can enhance security preventing malicious traffic from leaving the computer or its network," the support article explained. It offered several such tips for IT pros.

WannaCry Flashback
The security advisory indicated that the Windows SMB 3 flaw hasn't been publicly disclosed, nor exploited as of yet.

Nonetheless, IT shops might be alarmed anyway. After all, it was SMB 1 in older Windows systems, such as Windows XP, that was exploited by the infamous WannaCry (NotPetya) malware almost three years ago. WannaCry was wiper malware disguised as ransomware that disabled IT operations in organizations worldwide.

The WannaCry attack using SMB 1 was said to be "wormable," rapidly proliferating to other networks. Initial descriptions of CVE-2020-0796 (before getting pulled) also used the "wormable" descriptor. Microsoft's Security Advisory ADV200005, though, doesn't use that word.

Today, SMB 1 is deprecated and considered insecure. It shouldn't be used, but it's still present in some Windows environments. Microsoft recently explained that it added a "mitigation" that continues support for SMB 1 in older Windows systems in some cases.