Security Market Segment LS
Wednesday, 11 March 2020 08:56

Microsoft leaks details of wormable flaw in SMB protocol Featured

Microsoft leaks details of wormable flaw in SMB protocol Image by OpenClipart-Vectors from Pixabay

Microsoft appears to have bungled the release of details of flaws in its operating systems and application software this month, with details of a wormable flaw in the SMB protocol leaking online even though the company did not release a fix for it as part of its normal monthly patch Tuesday.

Researchers from the Cisco Talos Group mentioned details of the bug, which has the assignation CVE-2020-0796, and then removed them from a blog post they published, as the company normally does, to detail the patches issued on the day.

Cisco, however, covered up Microsoft's error and removed details of the flaw. The company's researchers, Jon Munshaw and Vitor Ventura, made no mention of the censorship of these details in their blog post either.

The security form Fortinet also released details about the flaw, writing: "This indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers.

Fortinet has not indulged in censorship as Cisco has; the company's post is still up as of the time of writing.

"The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application."

forti gaurd smb

While Fortinet advised the application of a patch to mitigate the issue, there is no patch available at the URL provided which goes to the Microsoft Security Response Centre.

There were a total of 117 flaws listed in all by Microsoft, not counting the bug for which details were removed. Twenty-five of these are considered critical.

Flaws in the SMB protocol have in the past been exploited and resulted in worms like WannaCry and NotPetya.

iTWire has contacted Microsoft for comment.

Update: Well-known British security researcher Kevin Beaumont, who will be joining Microsoft as a security threat analyst in a few months, issued a tweet at about 10am AEDT on Wednesday, linking to a post that gives the following details:

"Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

"To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it."

Update, March 12, 5.45am AEDT: Some additional information about mitigation has been added to the same post. There is no indication of the time when this was added.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments