Microsoft: New Wormable, Unpatched Bug in SMB File-Sharing System
Microsoft has published a security advisory, warning users that there is a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.
Charles Ragland, security engineer at Digital Shadows, says that the vulnerability allows for unauthenticated users to remotely execute code on victim machines. "Attackers could either target existing SMBv3 servers or impersonate an SMBv3 server and attack connecting clients. There's currently no evidence that the exploit has been used in the wild. Given the prevalence of SMB, if an exploit is made public, it could prove to be a large issue for companies to deal with, as there is currently no patch available," says Ragland.
Ragland also notes that disabling SMBv3 file compression is the only mitigation available currently, "but this does not mitigate the risk for a client to connect to a malicious server. Outside that, standard security best practices are advised. Disable unnecessary services, block ports at the firewall, and ensure that host based measures are in place to prevent users from accessing/modifying security controls.”
According to a Threatpost.com report, this same protocol was targeted by the WannaCry ransomware in 2017. Chris Morales, head of security analytics at Vectra, says that, “Based on previous attacks like WannaCry that leveraged SMB for propagation, there is a very real risk of this latest SMB flaw to be exploited in a similar manner. By now, one would hope that many organizations understand the impact of not allowing SMB traffic from an external destination. Unfortunately, in the real world it isn’t always that easy. In particular in hard to control environments like healthcare. This is why it is important to first try to block as much as you can and monitor what you can’t.”
Thomas Hatch, CTO and Co-Founder at SaltStack, says that “SMB, like many such services, should never be exposed to the outside internet - this is typically how these types of vulnerabilities get exploited. It is very common for IT staff to set up services like SMB improperly so that they are exposed in this manner. Because the vulnerability is a remote execution vulnerability, it is of greater severity than most. Microsoft filesharing is not the only SMB system available today. An open-source service called Samba is also available. However, as noted in this vulnerability, the issue is within the protocol. The SMB protocol is very old and has already seen many vulnerabilities over the years. In a nutshell, make sure that filesharing is not exposed over public networks, like open Wi-Fi or over the internet, and hopefully, this issue will be fixed by Microsoft quickly.”