CVE-2020-0796

There's a lot of useless posts going around about this right now. I hope mine is a little more useful since most of these don't mention if this is being exploited in the wild. TL;DR - no, it isn't, no need to panic right now.

Keep an eye on this page: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005 - The information here tells us three important things at this time:

  1. This was not publicly disclosed, nobody but Microsoft knows how to exploit it.
  2. This is not being exploited, no proof of concept, no zero-day.
  3. There is not a patch available. Not ideal, but important to know, here's why.

With no patch available, attackers have nothing to compare against. In other words, if a patch were available, I could take a vulnerable system and a patched system, and find out where the differences were (well, maybe not me, but someone smarter than me). Once I know that, I would have a much better chance of knowing where the bug was, and how I might be able to exploit it.

Edit/Update: One thing you can do is disable SMBv3 Compression according to the Microsoft Advisory above. This would tell attackers that the vulnerability likely has something to do with the compression functionality, but I still don't think this is enough. Whether you want to disable compression or not is going to be up to your threat model. Here is the PowerShell command to make this happen:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

If the vulnerable products table is correct (something I'm not betting on yet), the best I could do is take a pre-1903 system (not vulnerable) and diff it against a 1903 system and see what changed. Maybe, for SMBv3, there isn't much, maybe not. I feel like there is a whole lot of luck involved there to find anything.

For those wondering when we'll see an exploit, my money is on sometime after the patch is released, but we'll see scanning pick up almost immediately (if it hasn't already). After that, we'll know more. If it's difficult to exploit, it may be a very long time (as was seen with BlueKeep), but there's no way of knowning right now.

For some background, it appears that Microsoft partners were given early access to vulnerability information, and either this wasn't supposed to be included, or they forgot to mention that this CVE shouldn't be disclosed. https://www.bleepingcomputer.com/news/security/microsoft-leaks-info-on-wormable-windows-smbv3-cve-2020-0796-flaw/

Even though the vulnerability advisory was not published by Microsoft (no explanation for this was released by Redmond so far), a number of security vendors part of Microsoft Active Protections Program who get early access to vulnerability information did release details on the security flaw tracked as CVE-2020-0796.

And for the sake of completion, here is the description:

CVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to. Users are encouraged to disable SMBv3 compression and block TCP port 445 on firewalls and client computers. The exploitation of this vulnerability opens systems up to a “wormable” attack, which means it would be easy to move from victim to victim.

As for a name, apparently it's NedaCry. I'm not particularly fond of it, but Kevin has spoken, so what can we do :/ . This post will be updated once a cool logo has been rendered.