Microsoft on Thursday released an unscheduled fix for a critical security bug that makes it possible for attackers to remotely execute malicious code that can spread from vulnerable machine to vulnerable machine without requiring any interaction from users.
The flaw, in version 3 of Microsoft’s implementation of the Server Message block protocol, is present only in 32- and 64-bit Windows 10 versions 1903 and 1909 for clients and servers. Although the vulnerability is difficult to exploit in a reliable way, Microsoft and outside researchers consider it critical because it opens large networks to “wormable” attacks, in which the compromise of a single machine can trigger a chain reaction that causes all other Windows machines to quickly become infected. That’s the scenario that played on with the WannaCry and NotPetya in 2017.
In a bulletin accompanying Thursday’s patch, Microsoft said it has no evidence the flaw is being actively exploited, but the company went on to label the bug as “exploitation more likely.” That designation means malicious actors will probably develop and use exploits in the future.
Microsoft officials wrote:
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
Shortly after Microsoft issued the out-of-band fix, researchers at security firm Sophos published an analysis that elaborated on the vulnerability. It said:
The vulnerability involves an integer overflow and underflow in one of the kernel drivers. The attacker could craft a malicious packet to trigger the underflow and have an arbitrary read inside the kernel, or trigger the overflow and overwrite a pointer inside the kernel. The pointer is then used as [a] destination to write data. Therefore, it is possible to get a write-what-where primitive in the kernel address space.
Roughly translated, the details mean that attackers with a well-written exploit might be able to read plain-text passwords or other data sensitive data and could also obtain a command shell that can be used to take control of the vulnerable machine. EternalBlue—an earlier SMB exploit developed by and later stolen from the National Security Agency—also obtained a read-write capability to replace an inbound function in an inbound SMB function with a malicious function. That allowed the attacker to execute malicious code the next time a vulnerable machine called the SMB function.
Multiple ways to exploit
The Sophos write-up said malicious hackers could use the exploit in at least three scenarios:
Scenario 1: The attacker targets a machine sharing files. If a user or administrator has changed default settings to open port 445 or disabled the Windows firewall, or if the machine belongs to a Windows Domain, the machine is open to a remote form of attack that allows attackers to take control.
“It goes without saying that any unpatched system with the vulnerable SMB port open to the public Internet could become a target of opportunity for a worm-like outbreak, similar to WannaCry,” members of the SophosLabs offensive security team wrote in Thursday’s blog post. “The mitigating factor is that it requires an attacker with a state-of-the-art exploit that could bypass all the security mitigation Microsoft has built in to Windows 10 and that the target has port 445/tcp open for incoming connections.”
Scenario 2: An attacker tricks a user into connecting to a malicious server. Attackers could use spammed messages that contain links that, when clicked, cause the vulnerable machine to join the attacker’s malicious network. With that, the attacker would have full control over the machine. A variation: the attacker who already has limited access to a network spoofs a trusted device inside the organization. Machines that use SMBv3 to connect to that spoofed machine are then compromised.
When the two variations are combined, this type of attack might be useful in gaining initial access to a targeted network and then pivoting to more privileged or sensitive machines. A disadvantage from the attacker’s standpoint is that these types of exploits require the social engineering of a targeted user.
Scenario 3: An attacker who gains limited access to a vulnerable computer through other means, exploits the SMBv3 flaw to run malicious code that has the same system rights as the targeted user. From there, attackers might be able to further elevate privileges to those of SYSTEM. Sophos demonstrated this third attack scenario in the video below:
Researchers from Sophos and elsewhere have stressed that the robust security defenses Microsoft has added to Windows 10 make it extremely difficult to develop reliable exploits. Those defenses are likely to cause many targeted machines to crash and thereby tip off users or administrators that an attempted attack is under way.
These mitigations don’t mean that the SMBv3 vulnerability isn’t likely to be maliciously exploited. The ability to reverse-engineer Thursday’s patch, combined with the high-stakes consequences of successfully exploiting the flaw, will likely prompt highly skilled attackers to develop attacks.
Anyone using a Window 10 machine—particularly those who share printers, files, or resources over any kind of networks—should install the patch as soon as practicable. For those unable to install patches right away, less effective mitigations are to (1) disable SMB compression and (2) block port 445 to the outside Internet (this latter step is something security experts have long considered vital anyway). Another possible mitigation is to block port 445 inside a local network, but Sophos warned that measure comes at a cost.
“TCP port 445 is not only used by SMB, but by some other vital components of a Windows Domain. The only way to mitigate the vulnerability is to patch,” Thursday’s post explained.