Microsoft released an emergency security patch on March 12th to correct a critical vulnerability in Server Message Block (SMB) version 3, which is used for file sharing and other core network capabilities in Windows 10 and Windows Server 2019. Attackers who exploit this vulnerability against unpatched servers could spread the infection quickly from server to server throughout a corporate environment without any user interaction, referred to as a network worm attack. Attackers could also set up a malicious SMB server and attempt to trick people into connecting to it by sending a link in a phishing email message to compromise unpatched Windows 10 workstations. A combination of these attack vectors could target employee workstations to gain an initial foothold in a company’s network and then spread to all the servers. Sophos Labs has developed, but not released, a proof-of-concept exploit for CVE-2020-0796, so it is likely that threat actors will not be far behind in developing or stealing an exploit.
Analyst Notes
If it is possible to apply the security patch immediately, that should be done. If it is not possible to patch due to server uptime requirements, the Microsoft advisory ADV200005 linked below provides mitigation steps, such as disabling SMB compression, which does not require a server reboot. Updating firewall rules to filter or block TCP connections on port 445 outbound to the Internet is a good mitigating step to prevent workstations from being compromised by external SMB servers. Blocking inbound connections to port 445 is also a useful control for protecting servers. It is generally unsafe to expose SMB file sharing to access from the entire Internet, even for fully patched servers. It is important to regularly scan the public-facing IP address range used by your company to ensure that any exposed servers are identified, and any vulnerabilities can be mitigated. Binary Defense provides a security assessment, including an external vulnerability scan, as a complementary service to businesses. Details are available here: https://www.binarydefense.com/risk/
For more information, please see the advisories from Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200005
https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections
Patch now! Microsoft releases fixes for the serious SMB bug CVE-2020-0796
