Új SMBv3 unauthenticated remote code execution [CVE-2020-0796]

CVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to. Users are encouraged to disable SMBv3 compression and block TCP port 445 on firewalls and client computers. The exploitation of this vulnerability opens systems up to a “wormable” attack, which means it would be easy to move from victim to victim.

Egyelőre nincs fix, csak workaround:

Until Microsoft will release a security update designed to patch the CVE-2020-0796 RCE vulnerability, Cisco Talos shared that disabling SMBv3 compression and blocking the 445 TCP port on client computers and firewalls should block attacks attempting to exploit the flaw.

Although an official way of disabling SMBv3 compression was not shared by Microsoft, Foregenix Solutions Architect Niall Newman was able to find after analyzing the Srv2.sys file that it can be done by:

1. Going to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters
2. Creating a DWORD value called CompressionEnabled
3. Setting its value to 0.

https://www.bleepingcomputer.com/news/security/microsoft-leaks-info-on-…

Hozzászólások

Szerkesztve: 2020. 03. 10., k - 22:43

Egy API-n keresztül, véletlenül derült került ki a javítás előtt a hiba:

CVE-2020-0796 was accidentally shared via the Microsoft API, which some antivirus vendors, sysadmins, and reporters scrape for information about Patch Tuesday patches, as soon as they come out.

The theory is that the bug might have been initially scheduled to receive a patch this month, but later pulled; however, without being removed from the API, and eventually making its way into the Talos and Fortinet advisories.

Sub

BlackY

"Gyakran hasznos ugyanis, ha számlálni tudjuk, hányszor futott le már egy végtelenciklus." (haroldking)

Megjelent a hivatalos ajánlás:

To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV2…

Az Azureon is nyitva van. Vagy voltmár? 

Fun-fact: Tegnap jött egy, már szokásos .lnk exploit is.

 - CVE-2020-0684 [8.8]: Remote code execution in Microsoft LNK. A remote attacker can trick a victim to open a removable drive or remote share, that contains a malicious .LNK file and execute arbitrary code on the target system.

 

Az elmúlt évek hasonló sztorijai:

 - CVE-2020-0729 [8.8]: The vulnerability allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to insufficient validation of user-supplied input when processing .LNK files.

 - CVE-2019-1280 [9.3]: A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed.

 - CVE-2019-1188 [9.3]: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user, aka 'LNK Remote Code Execution Vulnerability'.

 - CVE-2018-8345 [7.6]: A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability."

 - CVE-2018-8346 [9.3]: A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability."

 - CVE-2017-8464 [9.3]: Allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka "LNK Remote Code Execution Vulnerability."

 - CVE-2010-2568 [9.3] (Stuxnet)allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems. 

Vajon szándékosan csinálják vagy tényleg ilyen bonyolult dolog lehet egy .lnk parsolás? 

Lehet ennek is elveszett a forráskódja, mint az egyenletszerkesztőnek és azóta binárisan szerkesztik notepad-ban. :)

Microsoft Appears to Have Lost the Source Code of an Office Component

"Have you ever met a C/C++ compiler that would put all functions in a 500+ KB executable on exactly the same address in the module after rebuilding a modified source code, especially when these modifications changed the amount of code in several functions?," 0patch experts asked rhetorically.

The only way the new EQNEDT32.EXE stayed so similar to its previous version was if Microsoft engineers manually edited the binary itself.

The only way this happened is if Microsoft somehow lost the source code of a long forgotten Office component.

https://www.bleepingcomputer.com/news/microsoft/microsoft-appears-to-ha…

Amúgy ez nem semmi teljesítmény, ha így tudnak fejleszteni, le a kalappal :)

Egyszer megcsinálták, aztán pár update-el később inkább visszamenőlegesen kivágták a francba a már telepített Office-okról is. (https://docs.microsoft.com/en-us/office/troubleshoot/error-messages/iss…)

BlackY

"Gyakran hasznos ugyanis, ha számlálni tudjuk, hányszor futott le már egy végtelenciklus." (haroldking)