Windows Has a New Wormable Vulnerability With No Patch Available (arstechnica.com) 68
A vulnerability in version 3.1.1 of the Server Message Block (SMB) -- the service that's used to share files, printers, and other resources on local networks and over the internet -- can allow attacks to execute code of their choice on both servers and end-user computers that use the vulnerable protocol, Microsoft said in an advisory. Ars Technica reports: The flaw, which is tracked as CVE-2020-0796, affects Windows 10, versions 1903 and 1909 and Windows Server versions 1903 and 1909, which are relatively new releases that Microsoft has invested huge amounts of resources hardening against precisely these types of attacks. Patches aren't available, and Tuesday's advisory gave no timeline for one being released. Asked if there was a timeline for releasing a fix, a Microsoft representative said, "Beyond the advisory you linked, nothing else to share from Microsoft at this time."
In the meantime, Microsoft said vulnerable servers can be protected by disabling compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. Users can use the following PowerShell command to turn off compression without needing to reboot the machine: "Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force." That fix won't protect vulnerable client computers or servers if they connect to a malicious SMB service, but in that scenario, the attacks aren't wormable. Microsoft also recommended users block port 445, which is used to send SMB traffic between machines.
In the meantime, Microsoft said vulnerable servers can be protected by disabling compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. Users can use the following PowerShell command to turn off compression without needing to reboot the machine: "Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force." That fix won't protect vulnerable client computers or servers if they connect to a malicious SMB service, but in that scenario, the attacks aren't wormable. Microsoft also recommended users block port 445, which is used to send SMB traffic between machines.
Wow (Score:4, Interesting)
Re: (Score:2)
That's how quarantines work, lol
Re: (Score:2)
Re:Wow (Score:4, Interesting)
The SMB protocol via port 445 does a lot more than just file sharing, and it's enabled by default on all windows versions whether you intended to configure the host as a file server or not.
Blocking it however is stupid, something like this should absolutely not be running by default so there should be nothing to block. Network listening services should always be opt-in, you should have to explicitly configure and enable them if you have a need to run the service in question.
Re: (Score:3)
Blocking it however is stupid, something like this should absolutely not be running by default so there should be nothing to block. Network listening services should always be opt-in, you should have to explicitly configure and enable them if you have a need to run the service in question.
The exploit happens in the smb client too.
You shouldn't be connecting to SMB shares on the Internet from your servers anyway, so allowing 445 outbound the Internet is what is stupid, you most certainly should block it.
Not sure what you mean by opt-in, every version of windows allows you to type "\\ip\share" in an explorer window for some time now, and I don't believe that feature is a service at all but built into the shell.
Re: (Score:2)
I know of some ISPs that block SMB packets on their switches as that is how a lot of viruses spread. Microsoft is never going to make that service secure anyway. How many remote code execution and similar bugs were discovered on that thing? Going all the way back to Windows 2000/XP and Blaster.
Re: (Score:2)
Microsoft's scheme is to block those services on internet interfaces but not on LAN interfaces. That's why when you connect to a network it asks you if it is public or private or work.
A private or work network has to be firewalled off from the internet. The danger is that if something gets inside the network it can spread quickly, but that's not really a big issue because as we have seen with ransomwear it doesn't even need exploits to do that on most corporate networks. The file shares are just there, the
Re: (Score:2)
Blocking it however is stupid
On a local network, yes. On a firewall to another network, no, it's not stupid, it's basic security precaution. There's nothing that port 445 is responsible for that should ever leave your local network.
The big risk is roving machines, i.e. laptops connecting to public untrusted network. Which reminds me, if you're on an untrusted network why not block this port as well?
something like this should absolutely not be running by default so there should be nothing to block.
Except it does more than just file sharing, so yes having it running by default is precisely what systems which work without making users
Re: (Score:3)
Their solution is block file-sharing on servers? Ahahahahahahahahaha
That's not what the summary says. It says that their solution is disabling compression.
Re: (Score:2)
Microsoft also recommended users block port 445
They could have added "don't turn on your computer and you won't get the worm". Maybe in the next "advisory".
Re: (Score:2)
Build a fire wall and make America On Line great again!
Re:Wow (Score:4, Insightful)
Re: Wow (Score:3)
Yeah, it's not like decades old bugs don't pop up in the most popular open source security library...
Re: (Score:2)
...written in a language where bounds checking is optional, because it's for people that know what they're doing.
Re:Wow (Score:4, Informative)
Their solution is block file-sharing on servers? Ahahahahahahahahaha
If you really need SMB you can always migrate your file servers to linux.
Re: (Score:2)
If you're not running many services, it should be fine to leave linux without updates.
Re: (Score:2)
Or just apply the patch. https://support.microsoft.com/... [microsoft.com]
Re: (Score:2)
Their solution is block file-sharing on servers? Ahahahahahahahahaha
No, their solution is to block SMB on untrusted networks.
Re: (Score:2)
I wouldn't be so sure about that. My guess is that they don't list any OSs older because, well, they're EOL, why bother?
Re: (Score:2)
meanwhile (Score:2)
my corporate copy of Windows 7 on a virtual machine continues to get updates
windows 10 must be for losers
Re: (Score:2)
Re:meanwhile (Score:4, Insightful)
You had the choice of running Linux on the hardware, and Windows in a VM. Which is what I'll do when I can no longer run Windows 7 on my machine. I already dual boot Linux, and I can run my Windows 7 install under VMware on Linux, or my Linux install under VMware on Windows. But my next machine will probably be Zen3, and it won't run win7, so it will just have to be in a VM.
Re: (Score:2)
You don't know what his situation is. Maybe he's running some obscure hardware that needs W7 and well, good luck interfacing that from within a VM.
At best you can interface USB and GPU devices from withing your VM. But anything else, from a simple serial port to custom PCI hardware might only run on bare metal.
Claiming a VM as solution for everything shows a very software-oriented mind and is dismissing zillions of edge cases where VM's simply not suffice. Might as well suggest the parent to run ReactOS. Or
Re: (Score:2)
Anyone who bought obscure hardware that is dependent on Windows is already beyond help. They have proven that they make poor decisions.
Re: (Score:1)
Re: (Score:1)
Re: meanwhile (Score:2)
Re: (Score:2)
That's what they say. But they have a history of releasing critical patches well after EOL, probably because the US government is still using it and insists.
Re: (Score:2)
You paid MS for new critical updates from its WU? :P
Yawn (Score:2)
Re: Yawn (Score:1)
Re: (Score:2)
How can you not love a mashup of Shakespeare's Hamlet with Bizet's Carmen?
Re: (Score:1)
True dat. This is giving me flashbacks to the 1990's when SMB was a known issue...
Re: (Score:1)
This is no joke. Where's the Samba CVE? How can Linux ever compete with Windows if we can't even duplicate their bugs?
So version 3.1.1 (Score:2)
That's SMB for Workgroups?
Key term (Score:2)
Over the internet.
Why in Gawd's name would you be attaching to a SMB share (of any flavor) over the internet?
If your local network i.e. the shit provided by your company, is vulnerable then the security group should find the people responsible for exploiting this "feature" and fire their asses.
How many Linux SMB installations are vulnerable to this? Microsoft is probably not alone in this.
Re: (Score:3)
Some companies, which I won't name here, have been selling their Home Cloud products to people.
Essentially NAS drives that come with a small server that makes them accessible through the internet. Among other things they do use the SMB protocol for file sharing between their stationary home devices and a mobile device like a laptop.
I guess some half tech savvy people could have had the brilliant idea that they don't need dedicated har
Re: (Score:2)
> How many Linux SMB installations are vulnerable to this?
None.
>Microsoft is probably not alone in this.
Nope. In this case they are, actually. The added an SMB3 transform compression header which Samba doesn't implement (yet). There was a bug in their compression libraries. Hence the bug. Even if we did implement SMB3 transform compression we'd be using different compression libraries (which may have their own bugs of course - compression/decompression code is notoriously hard to get right).
"Wormable" does not cut it (Score:3)
So I just have my laptop on the internet, and a completely unauthorized attacker can take over my machine. That is appalling.
If I let someone into the house by running a program or opening a document and they manage to become root that is bad. But not NEARLY as bad as an exploit that can be activated cold. Either by just being on the internet or receiving an email.
There are security flaws and there are security flaws, and the popular press does not understand the difference. The word "Wormable" does not really cut it. "Absolute vulnerability" or the like is what it should say.
Re: (Score:2)
It's already true that you can't use Windows without a firewall. This is just one more reason why. Luckily it has a moderately acceptable one built in these days.
Re: (Score:2)
So I just have my laptop on the internet, and a completely unauthorized attacker can take over my machine. That is appalling.
Nope. You need to open your laptop on the internet, AND then tell Windows you're on a private network against the warning that you should never do this on the open internet, AND you need to not be behind NAT or a firewall.
There are security flaws and there are security flaws, and the popular press does not understand the difference.
Evidently neither do Slashdot posters. If this were the 90s and we still connected to the internet like in the 90s this would be wormable. But we don't so it's not.
The problem runs deeper (Score:4, Insightful)
It's one of those classic Windows problems, that you can't just turn a service for X off without affecting Y, Z and a bunch of others where you wonder why the fuck they depend on a service that should have nothing to do with them. In a sensible system, you could now simply ponder whether you need file sharing and if not, turn the service off and be done with it. Not so in Windows. Try to disable that service, I dare you.
Re: (Score:2)
Last I saw disabling samba in Linux also prevents you from joining domain controllers, printing to network printers, and doing anything else that uses that protocol. You're (very mistaken) view is that this is just for file sharing.
Also it's not a classic windows problem as in the 90s we learnt to block external network attempts at samba ports. Even now Windows 10 will block the service by default if the network you're connected to is considered "Public" and if you allow access to the ports used for samba f
Re: (Score:2)
> All these samba exploits have been a big *yawn*. Wormable it may be in theory, but a threat it won't be in practice.
Just a correction. This is not a Samba exploit. It's an exploit in Microsoft's implementation of the SMB3 protocol (which is native on Windows). Samba is *not* the same as the protocol - it's actually a separate open source project that implements SMB1/2/3 - https://samba.org./ [samba.org.]
Yeah I know it's easy to get the two mixed up. Even Microsoft marketing have done so on occasion :-).
Editors??? (Score:3)
At least verify a command recommend to readers is error free.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
(notice no trailing . included in the '')
Kinda makes a difference, especially for JoeSixpack
Re: (Score:2)
If you are into security (Score:1)
Turned off at the command line?? (Score:1)
Asking for a friend.
Re: (Score:2)
If an attacker has admin-level permission to run the command, you are already pwned....
Re: (Score:1)
I'm not sure if Microsoft has fixed that with Window XP either.
Question (Score:1)
Re: Question (Score:1)
No (Score:1)
Pathces are now available (Score:3)
In other silver linings, home PCs all have SMB to the internet blocked by default and most home routers don't have any inbound forwarding rules. Meanwhile, enterprises which are more likely to get hit by a worm lave likely not yet migrated to 1903+ in most cases.
SMB again (Score:3)
This thing seems to be vulnerable again and again and again. Typical MS "quality" level software.
Re: (Score:2)
Just as well Linux and Mac never has security issues.
(Copy of a comment I posted at Arstechnica). (Score:2)
Microsoft hasn't contacted us (Samba) so this almost certainly isn't a protocol level bug (they're *very* good about being proactive on these), but an error in their implementation of the SMB3 compression transform.
In other words, a typical buffer overrun in a compression library. Gee, wonder where I've seen these before.
Currently Samba doesn't implement that specific SMB3 compression transform header (we do implement the SMB3 encryption transform header, which isn't vulnerable), an example where being slow
MICROS~1 strikes again :] (Score:2)