Microsoft Forced to Patch Leaked Wormable SMB Flaw

Written by

Microsoft has been forced to patch a vulnerability in the Server Message Block (SMB) protocol which was accidentally disclosed by some of its security partners earlier this week.

The fix, KB4551762, is an update for Windows 10, versions 1903 and 1909, and Windows Server 2019, versions 1903 and 1909.

It addresses a remote code execution (RCE) vulnerability in the way SMBv3 handles certain requests, which could allow an attacker to execute code on a victim’s server or client.

“To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it,” Microsoft explained.

“The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.”

According to SophosLabs, the flaw, dubbed SMBGhost, could be used in a number of different ways and is potentially wormable — i.e. it doesn’t require user interaction to spread.

That draws unhappy parallels with another wormable SMB bug which was exploited back in 2017 by the WannaCry attackers. However, the number of impacted machines in this case appears to be far fewer.

Security vendor Kryptos Logic claimed that around 48,000 servers are vulnerable to the new vulnerability, although it didn’t scan for exposed clients.

The patch was rushed out by Microsoft just days after its monthly update round, after a backroom error meant some of the tech giant’s security partners on its Microsoft Active Protections Program released details of the vulnerability.

Redmond was right to take action, as researchers are already publishing proof-of-concept exploits online.

This month’s Patch Tuesday was a big one for sysadmins, fixing 115 unique CVEs including 26 critical bugs.

What’s hot on Infosecurity Magazine?