Just days after the monthly Patch Tuesday swathe of Windows security updates was released, Microsoft has issued an emergency “out of band” update for Windows 10 users in response to the leaking of a critical vulnerability.
Microsoft issues critical out of band security update for Windows 1o users
Microsoft has urged Windows 10 users to “take action” as the out of band security update for CVE-2020-0796 is released. A critical vulnerability, named as SMBGhost or EternalDarkness by various security vendors, that is both wormable and affects the Server Message Block (SMB) network communications protocol. Yes, the protocol that enables shared access to your files and printers as well as serial ports. And, yes, the same SMB protocol that was exploited by the NSA-developed EternalBlue to such devastating effect during the WannaCry attacks in 2017.
Kieran Roberts, head of penetration testing at Bulletproof, said at the time of the leak that “SMB is the protocol used for sharing files, this is the same protocol that was vulnerable to the EternalBlue (CVE-2017-0144) exploit back which was weaponized into the WannaCry ransomware. It appears that this new vulnerability has several of the same hallmarks as EternalBlue. This means that this new vulnerability could result in a resurgence of ransomware attacks such as WannaCry and NotPetya, which both used the very similar EternalBlue exploit.”
How did the CVE-2020-0796 leak happen?
The reason that SMBGhost was disclosed would seem to be a miscommunication in the patching and disclosure process that led to some vendors thinking CVE-2020-0796 would have a fix included in the Patch Tuesday updates. They then accidentally published details of it in their update round-up blogs. Although those disclosures were quickly removed, details rapidly spread across social media, especially within the online Infosecurity community.
What has Microsoft said about the SMBGhost vulnerability?
As I reported on March 11, the vulnerability sits in the SMB 3.0 network communication protocol, and if successfully exploited by an attacker could enable remote and arbitrary code execution and potentially take control of the system. Microsoft said that it had not yet “observed an attack exploiting this vulnerability,” but recommended that users “apply this update to your affected devices with priority.” There have, however, already been proof-of-concept exploits developed by security researchers. Which likely means it is only a matter of time, a very short period of time at that, before unpatched systems start being exploited by attackers.
What you need to do now
The good news for Windows 10 users is, assuming you have automatic updates enabled, no further action will be required as the system will apply the patch to protect against any exploit of this critical vulnerability. However, if automatic updates are disabled, then you will need to update manually and as soon as possible. Microsoft said that it’s important to note that the KB4551762 update needs to be applied even if you installed the Patch Tuesday updates.
Likewise, if you implemented the workaround measures to disable SMBv3 compression in Microsoft Security Advisory ADV200005, you still need to install this out of band update. If you cannot apply the update, then that workaround is still recommended for organization admins who should also block TCP port 445 at the network perimeter. Everyone else should use Windows Update to check for updates and kick-start the installation process if required or download the KB4551762 update patch directly from the Microsoft update catalog.
Which versions of Windows are affected?
The following versions of Windows 10 are impacted by this vulnerability:
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
You might also like to read more about securing Microsoft Windows 10 in eight easy steps.