Microsoft fixes CVE-2020-0796, the SMBv3 wormable bug recently leaked

Microsoft released security updates to fix a recently disclosed CVE-2020-0796 vulnerability in SMBv3 protocol that could be abused by wormable malware.

Microsoft has released security updates to address the CVE-2020-0796 vulnerability in SMBv3 protocol that could be exploited by vxers to implement “wormable” malware.

On March 10, 2019, Microsoft accidentally leaked info on a security update for a wormable vulnerability in the Microsoft Server Message Block (SMB) protocol.

The issue, tracked as CVE-2020-0796, is pre- remote code execution vulnerability that resides in the Server Message Block 3.0 (SMBv3) network communication protocol, the IT giant will not address the issue as part of the March 2020 Patch Tuesday.

Technical details of the CVE-2020-0796 vulnerability have been disclosed, but security firms Cisco Talos and Fortinet published a description of the issue on their websites.

The vulnerability is caused by an error in the way SMBv3 handles maliciously crafted compressed data packets, a remote, unauthenticated attacker could exploit the flaw to execute arbitrary code within the context of the application.

“This indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.” reads the advisory published by Fortinet.

The CVE-2020-0796 vulnerability affects devices running Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation). According to Fortinet other Microsoft versions should be affected.

Microsoft has released the KB4551762 update for Windows 10, versions 1903 and 1909, and Windows Server 2019, versions 1903 and 1909.

The update addresses the CVE-2020-0796 vulnerability in the Server Message Block.

Users are recommended to install the updates as soon as possible, in case for some reason it is not possible they can refer mitigation advice published by Microsoft.

Microsoft did not plan release fixes for the issue this month, but evidently the accidental disclosure of the flaw forced the IT giant to release the patch today.

The knowledge of the existence of a wormable flaw impacting SMB protocol is alerting the experts that fear a new wave of WannaCry and NotPetya-like attacks.

Some researchers also developed PoC exploit code that could crash the vulnerable machines.

Researchers at security firm Kryptos Logic has found 48,000 hosts online that had the SMB port exposed to the internet and potentially exposed to attacks exploiting the CVE-2020-0796 flaw.

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-0796)

Share On