Vulnerabilities

Zero-day vulnerability in Microsoft SMBv3 allows remote code execution on Windows systems; no patch available

The bad news keeps coming for Microsoft. A report published by researchers of a cyber security course revealed that the tech giant accidentally revealed sensitive information about a zero-day vulnerability in the Microsoft Server Message Block (SMB) protocol.

The vulnerability, tracked as CVE-2020-0796,
is a pre-remote code execution issue present in version 3.0 of the protocol
that has not been corrected by the company despite having previously received
the report.

According to members of the cyber security
course, the flaw exists due to an error in the way SMBv3 manages compressed
data packets created for malicious purposes. Threat actors could exploit the
vulnerability to execute arbitrary code in the context of the target
application. In this regard, security firm Fortinet published a report
mentioning repeated attempts to exploit a buffer overflow vulnerability on
CVE-2020-0796-related SMB servers.

The security firm also mentioned that the
vulnerability affects any device running Windows
10
version 1903, Windows Server version 1903, Windows 10 version 1909,
and Windows Server 1909, although the presence of the failure in other versions
of the operating system. 

Reports on vulnerabilities in the SMB protocol are a constant concern for the community because, as cyber security course experts indicate, failures in this protocol were a key factor in the expansion of cybersecurity infections WannaCry and NotPetya ransomware a couple of years ago.

Microsoft eventually acknowledged the flaw this
March 10, adding that malicious hackers could exploit it to perform remote code
execution.

It is important to emphasize that there is not
yet a solution available to fix this flaw. According to the International
Institute of Cyber Security (IICS)
, an alternative solution to mitigate
the risk of exploitation is to disable SMBv3 compression and block TCP port
455. 

To disable SMBv3 compression, exposed
deployment administrators can follow these steps:

  • Go
    to: HKEY_LOCAL_MACHINE-System-CurrentControlSet-Services-LanManWorkstation-Parameters
  • Create
    a DWORD value
  • Set
    that value to “0”

The company is expected to have a fix ready for
this bug in its next update package, so system administrators are advised to
remain alert to any new information.

Comments
To Top

Pin It on Pinterest

Share This