Microsoft has warned a flaw in Microsoft's Server Message Block (SMBv3) protocol could leave Windows systems vulnerable to attackers – but they haven’t fixed it yet.
Labelled by Microsoft as ‘critical’, the vulnerability affects versions 1903 and 1909 of Windows 10 and Windows Server systems running SMB version 3.1.1.
According to cybersecurity vendor, Fortinet, the vulnerability is caused by an error when handling “a maliciously crafted compressed data packet” which indicates a Buffer Overflow Vulnerability.
Microsoft said the flaw can be exploited by attackers sending such a “specially crafted packet” to a target server, or by tricking users into connecting with a malicious SMBv3 server that allows attackers to execute code on affected machines.
Unfortunately for Microsoft, some cybersecurity researchers – like Fortinet – published advisories about the vulnerability before Microsoft had disclosed it publicly.
Mentions of the vulnerability soon disappeared and Microsoft was forced to put up its own warning about the flaw – complete with a workaround – but with no proper patch.
Can it get more strange than this?— MalwareHunterTeam (@malwrhunterteam) March 10, 2020
Although there is no sign the security flaw has yet been exploited in the wild, researcher with cybersecurity Tenable, Satnam Narang, said the way malicious code could spread using the SMBv3 flaw is reminiscent of the famous WannaCry ransomware.
“This latest vulnerability evokes memories of EternalBlue, most notably CVE-2017-0144, a remote code execution vulnerability in SMBv1 that was used as part of the WannaCry ransomware attacks,” Narang said.
“It’s certainly an apt comparison, so much so that researchers are referring to it as EternalDarkness. However, there is currently little information available about this new flaw and the time and effort needed to produce a workable exploit is unknown.”
Absent a full patch, Microsoft’s advice is for sysadmins to disable compression for SMBv3 using the following PowerShell command:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
You can also protect your enterprise by blocking TCP 445 at the firewall – although this will only defend from attacks coming from the internet, not those emerging from within the enterprise perimeter.