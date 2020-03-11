It has been reported that Microsoft leaked info on a security update for a ‘wormable’ pre-auth remote code execution vulnerability found in the Server Message Block 3.0 (SMBv3) network communication protocol that reportedly should have been disclosed as part of this month’s Patch Tuesday. The vulnerability is due to an error when the SMBv3 handles maliciously crafted compressed data packets and it allows remote, unauthenticated attackers that exploit it to execute arbitrary code within the context of the application.
Kieran Robert, Head of Penetration Testing , Bulletproof
March 11, 2020
Currently, Microsoft do not have a patch for this and they have not commented (so far) on when one might be available.
SMB (Server Message Block) is the protocol used for sharing files, this is the same protocol that was vulnerable to the EternalBlue (CVE-2017-0144) exploit back which was weaponised into the WannaCry ransomware. It appears that this new vulnerability has several of the same hallmarks as EternalBlue. From the information we have, it appears that this new vulnerability is also ‘wormable’ - a ....SMB (Server Message Block) is the protocol used for sharing files, this is the same protocol that was vulnerable to the EternalBlue (CVE-2017-0144) exploit back which was weaponised into the WannaCry ransomware. It appears that this new vulnerability has several of the same hallmarks as EternalBlue. From the information we have, it appears that this new vulnerability is also ‘wormable’ - a worm is a piece of malware that is self-replicating, meaning that it can propagate throughout a network without help from a user. This means that this new vulnerability could result in a resurgence of ransomware attacks such as WannaCry and NotPetya, which both used the very similar EternalBlue exploit. It seems that no Proof of Concept code is currently public, but administrators are advised to disable SMBv3 Compression, which seems to be the vulnerable feature, and to block port 445 where possible. Currently, Microsoft do not have a patch for this and they have not commented (so far) on when one might be available. The only reason we know that this bug exists is because Microsoft included some details about this vulnerability in their Patch Tuesday details BUT then they didn’t actually patch the problem. I expect this means that they intended to include this fix in the most recent patch, but when they didn’t make the deadline, they forgot to remove the information from the Patch Tuesday notes. This bug is going by a few different names, two of the ‘best’ are CoronaBlue (based on EternalBlue) and SMBGhost (Since everyone now knows there’s a bug (because Microsoft accidentally told us) but nobody can see it.
