Microsoft has confirmed a critical, yet unpatched, vulnerability impacting Windows 10 users
Yesterday was Patch Tuesday, the day that Microsoft releases a round of updates to patch security vulnerabilities in various products. The good news is that this month’s bunch of updates fixed a total of 115 vulnerabilities. The bad news is that it didn’t fix a critical one impacting Windows 10 users that was mistakenly disclosed on the same day. That vulnerability has been named ‘EternalDarkness’ and ‘SMBGhost’ by various security vendors, both names being particularly descriptive. This ‘wormable’ flaw affects the Server Message Block (SMB) network communications protocol. Use wormable and SMB in the same breath, and they are usually followed by EternalBlue, the exploit developed by the National Security Agency (NSA) that was used in the 2017 WannaCry attacks. Why SMBGhost? The Malware Hunter Team on Twitter was among the first to spot the vulnerability disclosure, an exposure that was made by mistake and quickly removed. Seeing as people believed the vulnerability existed, but nobody could actually see it, it was dubbed SMBGhost. Naming conventions apart, then, just how serious is this security issue?
I recently reported how hackers were targeting Windows 10 users who had newly updated their computers. I also reported on a Windows 10 ransomware threat that is hiding in plain sight. I mention both as updating your Windows 10 machines with the latest Patch Tuesday security updates isn’t going to help prevent an exploit of this new vulnerability, which is now effectively also hiding in plain sight.
What is CVE-2020-0796?
It appears that CVE-2020-0796 was thought by some vendors to be included in the Patch Tuesday updates, and they accidentally published details of it in their update round-up blog. Being the internet, even though that disclosure was removed relatively quickly, details of the vulnerability and how it could be exploited soon spread across information security social media feeds.
The vulnerability in the SMB 3.0 network communication protocol, if successfully exploited by an attacker, could enable remote and arbitrary code execution and potentially take control of the system. One of the now-deleted security vendor blogs that accidentally leaked the disclosure said that CVE-2020-0796 exploitation was “wormable.” This means that an attacker could move from victim to victim a similar way that the EternalBlue SMB exploit enabled WannaCry to spread so quickly.
Microsoft confirms vulnerability is critical and unpatched
I reached out to Microsoft for more details, and a spokesperson pointed me to a security advisory that confirms the vulnerability exists, impacts Windows 10 systems, and is critical in nature.
“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client,” the advisory said. To exploit the vulnerability, an attacker would need to either send a “specially crafted packet” to a target server or configure a malicious server and “convince a user to connect to it.”
Microsoft confirmed that there is no evidence to suggest that the vulnerability has been exploited as of yet, no mitigating factors have been identified, and that no update to fix it is currently available. There is a workaround that involves disabling SMBv3 compression, and the full details for doing that can be found in the advisory.
Which versions of Windows are affected?
According to the Microsoft security advisory, the following versions of Windows 10 are impacted by this vulnerability:
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
You might also like to read more about securing Microsoft Windows 10 in eight easy steps.