Microsoft has rolled out an emergency out-of-band update, KB4551762, just in time to patch the vulnerability in SMBv3 (CVE-2020-0796) that was leaked as part of the March 2020 Patch Tuesday.
On March 10, Security Advisory ADV200005 was released with Patch Tuesday updates that revealed details on a remote code execution (RCE) vulnerability in the way Server Message Block 3.1.1 (SMBv3) handles connections that use compression. Despite March Patch Tuesday marking the largest Patch Tuesday ever, with a whopping 115 CVEs resolved, CVE-2020-0796 created a lot of fuss among security communities.
As stated in ADV200005, “To exploit CVE-2020-0796 against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
The wormable nature of CVE-2020-0796 is reminiscent of EternalBlue, an RCE vulnerability in SMBv1, which was the prime vector of the disastrous WannaCry. This comparison has many fearful that it could be weaponized to launch a new wave of WannaCry and NotPetya; researchers are even referring to it as EternalDarkness, along the lines of EternalBlue.
A day before the patch was released, cybersecurity firm Kryptos Logic shared on Twitter a basic denial-of-service proof-of-concept (PoC) exploit demo leveraging CVE-2020-0796. Kryptos Logic also announced that it identified around 48,000 vulnerable hosts across the internet that had the SMB port exposed, saying that these hosts were likely to fall victim to potential attacks using EternalDarkness. Since PoC exploits have already been developed, it’s high time that you pushed KB4551762 to your vulnerable systems.
If you have difficulty applying the applying KB4551762, Microsoft recommends mitigation measures for SMB servers in its security advisory.
Tackling EternalDarkness and other critical vulnerabilities is a piece of cake with our prioritization-driven threat and vulnerability management solution, Vulnerability Manager Plus. Vulnerability Manager Plus empowers you with a dedicated “zero-day vulnerabilities” tab to give you targeted visibility over any zero-day vulnerabilities, as well as publicly disclosed and other critical vulnerabilities that could be exploited easily. From this module, you can easily fix CVE-2020-0796 since patches are automatically correlated beforehand. Furthermore, it enables you to test the updates in a pilot group before rolling them out to your production machines. And, it’s imperative that you perform patch testing, especially since out-of-band updates have resulted in issues in the past. With a robust security configuration feature baked into Vulnerability Manager Plus, you can even block TCP port 445 in the affected endpoints since that is the best defense against SMB-related wormable attacks.
What are you waiting for? Install a free, 30-day trial of Vulnerability Manager Plus now to stay guarded against EternalDarkness.