Threat Response: UPDATE – Vulnerability in Microsoft SMBv3

12-03-2020

A SAFE DIGITAL JOURNEY

Yesterday, on 11 March, we have informed you about a vulnerability in the SMBv3 protocol by Microsoft [1]. Microsoft has just released a patch addressing this vulnerability [5][6]. We would like to inform you about the new information and mitigation steps available.

Versions

The software versions that are vulnerable are the following:

  • Windows 10 (version 1903 and 1910)
  • Windows Server Core (version 1903 and 1910)

Older Windows versions, including Windows 7 and Windows Server 2012, are not affected, since they do not support SMB version 3.

Risk

At this moment, there is a party with a demonstration of a Proof-of-Concept attack [7]. Details regarding this Proof-of-Concept are not available yet. At this moment, no active exploitation has been observed. However, because other parties have been able to craft a Proof-of-Concept, we expect exploitation to happen soon. Therefore, we increase the risk to High/High.

Mitigation

Microsoft has released a patch regarding the vulnerability (KB4551762)[5]. We strongly recommend to install this update as soon as possible, even if you have already performed the workaround. The workaround was not functional against SMB Clients, whereas the patch also works for SMB Clients.

To see the previous message about this Threat Response, click here.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: soc@northwave.nl
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://northwave-security.com/threat-response-vulnerability-in-microsoft-smbv3/

[2]: https://www.kb.cert.org/vuls/id/872016/

[3]: https://www.bleepingcomputer.com/news/security/microsoft-leaks-info-on-wormable-windows-smbv3-cve-2020-0796-flaw/

[4]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

[5]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

[6]: https://www.bleepingcomputer.com/news/security/microsoft-releases-kb4551762-security-update-for-smbv3-vulnerability/

[7]: https://twitter.com/kryptoslogic/status/1238057276738592768?s=12

[8]: https://news.sophos.com/en-us/2020/03/12/patch-tuesday-for-march-2020-fixes-the-serious-smb-bug-cve-2020-0796/

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.