<
>

CyberSecurity Asean security alert on A Vulnerability in Microsoft Windows SMB Server Could Allow for Remote Code Execution

This alert is originally published and can be viewed at https://www.cisecurity.org

OVERVIEW:
A vulnerability has been discovered in Microsoft Windows SMB Server that could allow for remote code execution. Microsoft Server Message Block (SMB) is a network file sharing protocol that allows users or applications to request files and services over the network. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the account running the SMB server and client processes. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
 
THREAT INTELLIGENCE:

Microsoft has released patches for CVE-2020-0796 for the affected systems. The security firm Kryptos Logic has provided video evidence of a denial of service attack utilizing the vulnerability and various scanners for the vulnerability are available on GitHub.
 
SYSTEMS AFFECTED:

  • Windows 10 Version 1903 for 32-bit Systems

  • Windows 10 Version 1903 for ARM64-based Systems

  • Windows 10 Version 1903 for x64-based Systems

  • Windows 10 Version 1909 for 32-bit Systems

  • Windows 10 Version 1909 for ARM64-based Systems

  • Windows 10 Version 1909 for x64-based Systems

  • Windows Server, version 1903 (Server Core installation)

  • Windows Server, version 1909 (Server Core installation)

RISK:
Government:

  • Large and medium government entities: High

  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High

  • Small business entities: Medium

Home users: Low
 
TECHNICAL SUMMARY:
A vulnerability has been discovered in Microsoft Windows SMB Server that could allow for remote code execution. This vulnerability is due to an error in handling maliciously crafted compressed data packets within version 3.1.1 of Server Message Blocks. To exploit this vulnerability, an attacker can send specially crafted compressed data packets to a target Microsoft Server Message Block 3.0 (SMBv3) server. Clients who connects to the malicious SMB server would then also be impacted. Microsoft Server Message Block (SMB) is a network file sharing protocol that allows users or applications to request files and services over the network. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the account running the SMB server and client processes. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Consider applying the workarounds provided by Microsoft until patches are released; The workaround does not mitigate attacks targetting SMB clients.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

  • Apply the patches provided by Microsoft after appropriate testing.

REFERENCES:
Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

Tenable:
https://www.tenable.com/blog/cve-2020-0796-wormable-remote-code-execution-vulnerability-in-microsoft-server-message-block

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796

You might also like
Most comment
share us your thought

0 Comment Log in or register to post comments