Microsoft has just pushed out its raft of monthly security fixes for March, but amongst those many patches, details of the existence of an unpatched security flaw were accidentally spilled – although fortunately not the exact ins-and-outs of that vulnerability.
As ZDNet reports, the bug in question – codenamed CVE-2020-0796 – is a ‘wormable’ vulnerability in Microsoft’s SMBv3 (Server Message Block) protocol. The fact that it’s wormable means it could spread itself easily and swiftly from device to device, much like the major disaster that was WannaCry (which also exploited the SMB protocol).
The good news is that while this might be a highly worrying vulnerability, and it’s currently unpatched, the actual core exploit code hasn’t been revealed – only the existence of the bug.
That could mean enterprising hackers have been alerted to the security hole, and are now attempting to find it, but it’s not expected to be actively exploited in the wild anytime soon. Hopefully not before Microsoft issues a fix, anyway.
The revelation of the vulnerability wasn’t actually made by Microsoft as such, which didn’t publish details of the problem – rather, third-party security companies released the details of CVE-2020-0796, which is described as a remote code execution vulnerability in SMBv3.
Several security outfits published details of the bug, and as ZDNet observes, they included Cisco Talos and Fortinet.
There are various theories floating around as to what might have gone wrong here, but it seems that it could have been a bug that was expected to be patched by Microsoft this month, but in the end wasn’t.
And while Microsoft pulled the details of the vulnerability itself, the software giant might have forgotten to stop it being supplied to these third-party cybersecurity firms (which scrape the details of all provided fixes via the Microsoft API).
Whatever the case, clearly something went wrong somewhere, although Microsoft hasn’t yet provided an indication of what.
The company has now published a security advisory, which reads: “Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.
“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
The advisory further provides a temporary workaround of disabling SMBv3 compression, for those who might be worried about the existence of this bug.
Patch Tuesday for March fixed in excess of 100 security flaws, including some nasty vulnerabilities in Microsoft Word and Outlook.
It’s not clear when a fix might be provided for CVE-2020-0796, but you’d assume that Microsoft is working on it, if indeed the patch was supposed to emerge this month – so it would seem a fair bet that it’ll be delivered in the near future. And the fact that the wormable vulnerability is now common knowledge should encourage a speedier fix.