Microsoft Windows SMB Server Vulnerability Detected

Microsoft Windows SMB Server Vulnerability Detected

A cybersecurity advisory was issued today, March 12, 2020, regarding a vulnerability in Microsoft Windows SMB Server. The vulnerability could allow a malicious individual to execute remote code, which could potentially lead to a breach.

What It Is:
A vulnerability has been discovered in Microsoft Windows SMB Server that could allow for remote code execution. Microsoft Server Message Block (SMB) is a network file sharing protocol that allows users or applications to request files and services over the network.

Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the account running the SMB server and client processes. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Read the original Microsoft Security Advisory.

Threat Intelligence:
Microsoft has released patches for CVE-2020-0796 for the affected systems. The security firm Kryptos Logic has provided video evidence of a denial of service attack utilizing the vulnerability and various scanners for the vulnerability are available on GitHub.

Systems Affected:

• Windows 10 Version 1903 for 32-bit Systems
• Windows 10 Version 1903 for ARM64-based Systems
• Windows 10 Version 1903 for x64-based Systems
• Windows 10 Version 1909 for 32-bit Systems
• Windows 10 Version 1909 for ARM64-based Systems
• Windows 10 Version 1909 for x64-based Systems
• Windows Server, version 1903 (Server Core installation)
• Windows Server, version 1909 (Server Core installation)

Risk:
Government:
• Large and medium government entities: High
• Small government entities: Medium
Businesses:
• Large and medium business entities: High
• Small business entities: Medium
Home users: Low

What It Means:
If you and/or your business utilize the Microsoft Windows versions mentioned above, you will need to apply the patches provided by Microsoft following appropriate testing.

Technical Summary:
A vulnerability has been discovered in Microsoft Windows SMB Server that could allow for remote code execution. This vulnerability is due to an error in handling maliciously crafted compressed data packets within version 3.1.1 of Server Message Blocks. To exploit this vulnerability, an attacker can send specially crafted compressed data packets to a target Microsoft Server Message Block 3.0 (SMBv3) server. Clients who connect to the malicious SMB server would then also be impacted.

What To Do:
We recommend the following actions be taken:

• Apply the patches provided by Microsoft after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Remind users not to visit websites or follow links provided by unknown or untrusted sources.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
• Apply the Principle of Least Privilege to all systems and services.

Negative Consequences of Lost or Stolen Data:
The loss or theft of proprietary data can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

• Temporary or permanent loss of sensitive or proprietary information.
• Disruption to regular operations.
• Financial losses incurred to restore systems and files.
• Potential harm to an organization’s reputation.

Should your agency or business need assistance with issues arising from vulnerabilities in Microsoft products including updates and/or patches, Dox can help. Please contact Dox if there is anything we can do to assist in securing your agency, business, or organization.

Thank you for your time and stay safe online.