Windows 10 Suffers Yet Another Wormable Zero-Day

Here we go again: An SMB vulnerability lets hackers access your Windows clients and servers. And there’s no patch (yet).

You remember the WannaCry ransomware? It used the leaked “EternalBlue” SMB exploit that the NSA had hoarded.

Could this RCE bug be as bad? At least we know about it. In today’s SB Blogwatch, we dance the SaMBa.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: puppies.


SMB RCE 0-Day FAIL

What’s the craic? Shaun Nichols speaks of “an awful SMBv3 security hole to worry about”:

 [A] particularly nasty remote-code execution hole … lies within SMBv3.

There is no patch available for this right now other than to disable SMBv3 compression for servers. There is no workaround nor patch for clients right now.

Sounds bad. Nikolay Pankov has more—“CVE-2020-0796: New vulnerability in SMB”:

 An attacker can exploit this vulnerability to execute arbitrary code on the side of the SMB server or SMB client. To attack the server, one can simply send a specially created packet. … As for the client, attackers have to configure a malicious SMBv3 server and persuade a user to connect.

Experts believe the vulnerability can be used to launch a worm similar to WannaCry. Microsoft calls the vulnerability critical, so you should close it as soon as possible.

information about the vulnerability has been in the public domain since March 10, so exploits could appear any minute, if they haven’t already. … With no patch available yet, you must close the vulnerability, and that requires workarounds.

And Dan Goodin adds in—“Windows has a new wormable vulnerability”:

 The vulnerability exists in version 3.1.1 of the Server Message Block, the service that’s used to share files, printers, and other resources on local networks and over the Internet. Attackers who successfully exploit the flaw can execute code of their choice on both servers and end-user computers that use the vulnerable protocol.

Microsoft’s implementation of SMBv3 introduces a variety of measures designed to make the protocol more secure. … Microsoft has similarly hardened Windows 10 and Server 2019 to better withstand exploits, especially those that would otherwise be wormable.

CVE-2020-0796 affects Windows 10 versions 1903 and 1909, and Windows Server versions 1903 and 1909, which are relatively new releases that Microsoft has invested huge amounts of resources hardening against precisely these types of attacks.

Fair point? Steven J. Vaughan-Nichols puts it a lot stronger—“Come on, Microsoft! Is it really that hard?”:

 That SMB bug [is] the latest bombshell from Microsoft. … In case you don’t remember, SMB security holes are the ones responsible for the infamous WannaCry and NotPetya ransomware.

I mean, when I look at the Windows 10 … landscape, I can almost understand why some of you are still sticking with Windows 7. … Does Microsoft know how to give us a fun time, or what?

What I want to know is why Microsoft Windows quality assurance (QA) has become a joke, with our machines as the punchline. … I don’t get it.

I don’t know how many people Microsoft has working on Windows 10 QA, how much money it pours into the program, and what the expertise level of those people is. But because the results speak louder than words, I do know that Win10 QA is understaffed and under-resourced, with staff that aren’t as experienced as they should be.

Come on, Microsoft! Enough is enough. Get your QA act together already!

Oh my. Marcus Hutchins wrote a scanner, to count vulnerable internet-connected hosts. @kryptoslogic has more:

 We’ve just finished our first internet wide scan for CVE-2020-0796 and have identified 48,000 vulnerable hosts.

Wait. Pause. Who the heck is opening their SMB port to the public internet? AmiMoJo muses thuswise:

 Microsoft’s scheme is to block those services on internet interfaces but not on LAN interfaces. That’s why when you connect to a network it asks you if it is public or private or work.

A private or work network has to be firewalled off from the internet. The danger is that if something gets inside the network it can spread quickly, but that’s not really a big issue because as we have seen with ransomware it doesn’t even need exploits to do that on most corporate networks. The file shares are just there, the permissions are too loose.

Time for a conspiracy theory? kmedcalf alleges an allegation:

 Who released the exploit for the SMBv3 vulnerability that Microsoft wrote into Windows at the behest of the Three Letter Agencies when they had to close the last vulnerability that they wrote into Windows (the SMBv1 remote execution vulnerabilities).

Seems that the Window between “TLA Sponsored Vulnerability Insertion” and detection and closure is getting shorter though, and that it a good thing.

Is it also a problem in macOS, Linux, etc.? Let’s hear from Mr. Samba, Jeremy Allison:

 Microsoft hasn’t contacted us (Samba) so this almost certainly isn’t a protocol level bug (they’re very good about being proactive on these), but an error in their implementation. … In other words, a typical buffer overrun in a compression library. Gee, wonder where I’ve seen these before.

So most Linux-based SMB3 servers and NAS boxes (which use Samba) will not be affected. [But] things may change as more information becomes available.

Should we just disable the SMB services? No, says Opportunist:

 It’s one of those classic Windows problems, that you can’t just turn a service for X off without affecting Y, Z and a bunch of others where you wonder why the **** they depend on a service that should have nothing to do with them. In a sensible system, you could now simply ponder whether you need file sharing and if not, turn the service off and be done with it.

Not so in Windows. Try to disable that service, I dare you.

Meanwhile, try not to panic. Jake Williams—@MalwareJake—calms us down:

 Let’s be realistic about risk:
1. Core SMB sits in kernel space and KASLR is great at mitigating exploitation.
2. Asssuming this is kernel space, any unsuccessful exploitation results in BSOD.

You still have to remotely bypass KASLR. … This isn’t easy.

This IS serious, but it isn’t WannaCry 2.0. … I’m not thrilled about another SMB vuln, but … hysteria is unwarranted.

And Finally:

In these uncertain times, we all need six puppies in a bucket

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Chul-Ho Kim (Pixabay)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi