Microsoft urgently fixes the flaw in SMBv3

Microsoft’s response was quick, urgently releasing a patch for the vulnerability found in the Server Message Block (SMBv3) protocol. It allows the sharing of resources on local networks with Windows PCs. The flaw was inadvertently released by Microsoft and raised concerns that it could be exploited.

CVE-2020-0796 addresses how SMBv3 handles certain requests. An unauthenticated attacker can exploit the flaw by sending a crafted packet to the vulnerable SMBv3 server. The goal for the cybercriminal is to gain complete control of the compromised system and execute malicious code. Note that this flaw mainly affects users of Windows 10 and Server Core in versions 1903 and 1909.

A minimum fix

Hotfix KB4551762 which was released urgently should address the concerns. Earlier this week, the publisher advised disabling compression for SMBv3 and blocking TCP port 445 at the perimeter firewall. The Redmond firm specifies that this patch prevents exploitation on the server side, but does not guarantee protection on vulnerable SMB clients. Knowing that to exploit an SMB client, the attacker would have to set up a malicious SMB server and convince users to connect to it.

A flaw in the SMB protocol awakens bad memories, as it was the source of the EternalBlue exploit (from the NSA) used in the Wannacry and NotPetya campaign. It is therefore not surprising that the researchers have nicknamed the vulnerability affecting SMBv3, EternalDarkness.