Microsoft has issued an advisory warning its users about a new critical, unpatched and wormable vulnerability affecting Server Message Block 3.0 (SMBv3) network communication protocol.
Microsoft has just issued its March 2020 Patch Tuesday update and it seems that they were planning to fix this flaw as part of it, as well. But due to some reason, it removed it at the last minute. However, a tech company accidentally leaked the existence of the unpatched flaw.
The unpatched flaw which has been dubbed as CVE-2020-0796 would allow an attacker to execute arbitrary code on the target SMB Server or SMB Client if it was exploited successfully.
The delayed acknowledgment from Microsoft made some researchers call the bug as “SMBGhost.”
According to the advisory, in order to exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
Server Message Block protocol is responsible for providing file sharing, network browsing, printing services, and interprocess communication over a network.
It was reported that the vulnerability makes the systems open to “wormable” attack, making it easy to spread from one victim to the other.
It is not known when the tech giant is planning to patch the flaw, but they urge the users to disable SMBv3 compression and block TCP port 445 on firewalls and client computers as a workaround.
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
Also, Microsoft stated that disabling SMBv3 compression will not prevent the exploitation of SMB clients. However, there is no evidence of this flaw being exploited in the wild.
The flaw affects only Windows 10 version 1903, Windows 10 version 1909, Windows Server version 1903, and Windows Server version 1909. There are chances that more versions can also be affected as SMB 3.0 was introduced with Windows 8 and Windows Server 2012.
Until a patch is released, it is recommended that the system administrators must implement the bypass to block any attacks attempting to exploit the vulnerability.