The release of a fully functional proof-of-concept (PoC) exploit for a critical, wormable remote code-execution (RCE) vulnerability in Windows could spark a wave of cyberattacks, the feds have warned.
Microsoft patched the bug tracked as CVE-2020-0796 back in March; also known as SMBGhost or CoronaBlue, it affects Windows 10 and Windows Server 2019. It exists in version 3.1.1 of the Microsoft Server Message Block (SMB) protocol – the same protocol that was targeted by the infamous WannaCry ransomware in 2017. SMB is a file-sharing system that allows multiple clients to access shared folders, and can provide a rich playground for malware when it comes to lateral movement and client-to-client infection.
In this case, the bug is an integer overflow vulnerability in the SMBv3.1.1 message decompression routine of the kernel driver srv2.sys.
Microsoft released its fix, KB4551762, as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).
“Although Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber-actors are targeting unpatched systems with the new PoC, according to recent open-source reports,” warned the Cybersecurity and Infrastructure Security Agency (CISA) on Friday. “CISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.”
The author behind the PoC, who goes by “Chompie,” announced his exploit last week on Twitter. Several replies followed the original post, confirming that the exploit does in fact work.
The PoC is notable because it achieves RCE – previous attempts to exploit SMBGhost have resulted only in denial of service or local privilege escalation, according to security analysts.
“While there have already been many public reports and PoCs of LPE (Local Privilege Escalation), none of them have shown that RCE is actually possible so far,” said researchers at Ricerca Security, who did a full writeup of Chompie’s exploit. “This is probably because remote kernel exploitation is very different from local exploitation in that an attacker can’t utilize useful OS functions such as creating userland processes, referring to PEB, and issuing system calls.”
Windows 10 also has specific mitigations that make RCE a much more difficult thing to achieve, they noted.
“In the latest version of Windows 10, RCE became extremely challenging owing to almost flawless address randomization,” the researchers explained. “In a nutshell, we defeat this mitigation by abusing MDL (memory descriptor list)s, structs frequently used in kernel drivers for Direct Memory Access. By forging this struct, we make it possible to read from ‘physical’ memory. As basically no exception will occur when reading physical memory locations, we obtain a stable read primitive.”
To protect networks, administrators should apply the updates; Microsoft also has offered workaround guidance for those that can’t patch. For instance, on the server side, companies can disable SMBv3 compression to block unauthenticated attackers, using a PowerShell command: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force. No reboot is necessary.
To protect unpatched SMB clients, Microsoft noted that it’s possible to block traffic via firewalls and other methods. Companies can for instance simply block TCP port 445 at the enterprise perimeter firewall (though systems could still be vulnerable to attacks from within their enterprise perimeter).