New vulnerability in SMB protocol allows attackers to execute code remotely

A new vulnerability has been discovered in the implementation of the SMB protocol in Windows. The vulnerability would allow remote code execution on a network. There is currently no patch available for the vulnerability.

Microsoft confirms the existence of the vulnerability, known as CVE-2020-0796. No technical details are known about the vulnerability yet. Microsoft reports that the vulnerability is not known to be actively exploited. On Monday evening, the leak appeared briefly in an advisory on the site of Cisco’s security department Talos, but the information has since been removed there.

Several participants of the Microsoft Active Protections Program are said to have already received details about the leak. That posted screenshots which talks about a ‘wormable’ attack. As a result, some experts drew parallels with other similar vulnerabilities such as BlueKeep. That vulnerability in the Remote Desktop Protocol caused a lot of damage via the EternalBlue exploit. The current vulnerability would have similarities with that. “An attacker can exploit this bug by sending a proprietary packet to a vulnerable SMBv3 server that the victim must be connected to,” Microsoft wrote in the warning.

Microsoft says it doesn’t have a patch available for the vulnerability at this time. However, security experts do recommend taking certain measures on the network to prevent damage. For example, they should disable SMBv3 compression and block tcp port 445. At this point, it appears that Windows 10 versions 1903 and 1909 and Windows Server versions 1903 and 1909 are vulnerable. Other versions of the operating system may also be added, because SMBv3 was already in older versions such as Windows 8.