Microsoft has disclosed a vulnerability that allows pre-authentication execution of remote code.
A third party had already accidentally disclosed the vulnerability following some confusion about whether a recent patch had fixed the issue. As of two days later, no patch had yet been released, although Microsoft had provided some workaround instructions pending a patch.
The vulnerability relates to the SMB protocol that later Windows operating systems (Windows 2000 onwards) use to share access to files and peripherals such as printers. The WannaCry ransomware attack of 2017 took advantage of a similar vulnerability despite a patch being made available by Microsoft well in advance. This flaw, however, relates to how version 3.1.1 of the SMB protocol processes compressed data packets that have been maliciously crafted. This means an exploit could allow an unauthorised attacker to execute arbitrary code remotely. It could also be potentially be used by a worm to automatically propagate between vulnerable systems.
In its announcement, Microsoft said:
“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
The issue only affects recent versions of Windows 10 and Windows Server, so it is perhaps fortunate that unsupported products like Windows 7 are not vulnerable. Given the popularity of Windows 10, however, there may be ample scope for threat actors to compromise systems before a patch is released and diffuses through to the numerous systems in the world.
In the absence of a patch, Microsoft suggests disabling SMBv3 compression through a PowerShell command. It notes, however, that this will only protect SMB servers and not clients, although the latter can only be affected if a user is tricked into connecting to a malicious SMBv3 server.
Microsoft also suggests blocking TCP port 445 on a perimeter firewall to prevent external attacks, although it cautions that systems may still be vulnerable to attacks from inside the firewall, such as from previously compromised systems.
While the security community often takes extensive steps to keep vulnerabilities out of the public domain until corrective patches are available, this is sometimes either not possible or, like in this case, the vulnerability is accidentally disclosed. Keeping on top of security can be a challenging endeavor, especially when patches are not immediately available.
At Pro-Networks, we can help you to stay secure with our network management services. This can include taking precautionary measures like installing a physical firewall to limit outside access to your systems and making specific interventions, such as the workaround suggested by Microsoft.