Microsoft fixes CVE-2020-0796, the SMBv3 wormable bug recently leaked

Microsoft released security updates to fix a recently disclosed CVE-2020-0796 vulnerability in SMBv3 protocol that could be abused by wormable malware.

Microsoft has released security updates to address the CVE-2020-0796 vulnerability in SMBv3 protocol that could be exploited by vxers to implement “wormable” malware.

On March 10, 2019, Microsoft accidentally leaked info on a security update for a wormable vulnerability in the Microsoft Server Message Block (SMB) protocol.

The issue, tracked as CVE-2020-0796, is pre- remote code execution vulnerability that resides in the Server Message Block 3.0 (SMBv3) network communication protocol, the IT giant will not address the issue as part of the March 2020 Patch Tuesday.

Technical details of the CVE-2020-0796 vulnerability have been disclosed, but security firms Cisco Talos and Fortinet published a description of the issue on their websites.

The vulnerability is caused by an error in the way SMBv3 handles maliciously crafted compressed data packets, a remote, unauthenticated attacker could exploit the flaw to execute arbitrary code within the context of the application.

“This indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.” reads the advisory published by Fortinet.

The CVE-2020-0796 vulnerability affects devices running Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation). According to Fortinet other Microsoft versions should be affected.

Microsoft has released the KB4551762 update for Windows 10, versions 1903 and 1909, and Windows Server 2019, versions 1903 and 1909.

The update addresses the CVE-2020-0796 vulnerability in the Server Message Block.

Users are recommended to install the updates as soon as possible, in case for some reason it is not possible they can refer mitigation advice published by Microsoft.

Microsoft did not plan release fixes for the issue this month, but evidently the accidental disclosure of the flaw forced the IT giant to release the patch today.

The knowledge of the existence of a wormable flaw impacting SMB protocol is alerting the experts that fear a new wave of WannaCry and NotPetya-like attacks.

Some researchers also developed PoC exploit code that could crash the vulnerable machines.

Researchers at security firm Kryptos Logic has found 48,000 hosts online that had the SMB port exposed to the internet and potentially exposed to attacks exploiting the CVE-2020-0796 flaw.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-0796)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.