A new vulnerability in the SMB protocol allows an unauthenticated attacker to run arbitrary code on vulnerable computers. Bitdefender detects and blocks this type of exploitation at the network level as Exploit.SMB.CVE-2020-0796.EternalDarkness, via the Network Attack Defense module in Bitdefender GravityZone.
On March 12, 2020, Microsoft released a particularly important patch that fixes a serious flaw in the SMB kernel driver. Accidentally disclosed, then missed in the March 2020 Patch Tuesday, this flaw affects the SMB Client and Server version 3.1.1 for Windows and can be remotely exploited to trigger a denial-of-service attack and, in several circumstances, remote code execution.
Since exploiting the vulnerability does not require authentication, this attack could be weaponized in a “wormable” form that could allow a threat actor to run code remotely simply by connecting to a Windows machine over the SMB network (port 445).
A little background
Last year, Microsoft added a feature for compressing data exchanged between hosts running SMB Client and Server for Windows. This feature is only available starting with Windows 10 version 1903. However, due to a bug in the code for parsing compressed message headers that should check for overflows or underflows, an unauthenticated attacker that sends a specially crafted packet can write and read Out of Bounds memory on the vulnerable system.
More to the point, untrusted data from the network is copied directly in the smb2_compression_transform_header structure, then added together (header.OriginalCompressedSegmentSize + header.OffsetOrLength) to determine the allocation size for the buffer that holds the decompressed data. Lack of validation can lead to a possible integer overflow that results in the allocation of a smaller buffer to be used for data decompression. The rest of the decompressed data will overflow in memory.
An integer underflow is also possible when header.OffsetOrLength is larger than the size of the packet being sent across the network, which will result in an Out of Bounds read. By combining these two bugs, an attacker can obtain remote code execution and, implicitly, own the target machine.
Lessons learned from 2017 and mitigation
If SMB and “wormable attacks” ring a bell, you’re not imagining things - we’ve been through this before, in 2017, when the EternalBlue exploit allegedly developed by the National Security Agency (NSA) was used to rocket-strap WannaCry ransomware.
While at this point, there is no evidence the exploit is actively used in the wild, this vulnerability is rated CRITICAL, with a CVSS base score of 10. IT administrators should take immediate action to mitigate risks.1. Install updates: Microsoft released KB4551762 on March 12 that fixes the vulnerability. Bitdefender customers can automate deployment of updates via the Patch Management module.
2. If patching is impossible, disable SMBv3 compression on servers. This does not fix the issue on vulnerable clients. You can disable compression with the PowerShell command below:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
3. Block TCP port 445 externally at the enterprise perimeter firewall. Normally, SMB services should not be exposed outside of the local network.
How can Bitdefender protect you?
All Bitdefender GravityZone customers are protected against CVE-2020-0796 exploitation through Network Attack Defense, a powerful technology that Bitdefender has incorporated in its entire business line. The technology focuses on detecting network attack techniques designed to gain access on specific endpoints, such as brute-force attacks, network exploits and password stealers, and has proven effective in a number of recent attacks, including last year’s BlueKeep outbreak.
Stay safe from SMB exploits and other emerging cyberthreats with an end-to-end breach avoidance solution, incorporating hardening, prevention, detection and response under a single agent, single platform. Request a demo of Bitdefender GravityZone™ today.