Windows Has a New Wormable Vulnerability With No Patch Available

A vulnerability in version 3.1.1 of the Server Message Block (SMB) -- the service that's used to share files, printers, and other resources on local networks and over the internet -- can allow attacks to execute code of their choice on both servers and end-user computers that use the vulnerable protocol, Microsoft said in an advisory. Ars Technica reports: The flaw, which is tracked as CVE-2020-0796, affects Windows 10, versions 1903 and 1909 and Windows Server versions 1903 and 1909, which are relatively new releases that Microsoft has invested huge amounts of resources hardening against precisely these types of attacks. Patches aren't available, and Tuesday's advisory gave no timeline for one being released. Asked if there was a timeline for releasing a fix, a Microsoft representative said, "Beyond the advisory you linked, nothing else to share from Microsoft at this time."

In the meantime, Microsoft said vulnerable servers can be protected by disabling compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. Users can use the following PowerShell command to turn off compression without needing to reboot the machine: "Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force." That fix won't protect vulnerable client computers or servers if they connect to a malicious SMB service, but in that scenario, the attacks aren't wormable. Microsoft also recommended users block port 445, which is used to send SMB traffic between machines.

Wow

[jargonburn]

Their solution is block file-sharing on servers? Ahahahahahahahahaha

Re:

[cdsparrow]

That's how quarantines work, lol

Re:

[jargonburn]

It should very likely already BE blocked if file-sharing isn't one of its purposes. And if you don't have it blocked, ya probably had a goddamn reason lol

Re:Wow

[Bert64]

The SMB protocol via port 445 does a lot more than just file sharing, and it's enabled by default on all windows versions whether you intended to configure the host as a file server or not.
Blocking it however is stupid, something like this should absolutely not be running by default so there should be nothing to block. Network listening services should always be opt-in, you should have to explicitly configure and enable them if you have a need to run the service in question.

Re:

[dissy]

Blocking it however is stupid, something like this should absolutely not be running by default so there should be nothing to block. Network listening services should always be opt-in, you should have to explicitly configure and enable them if you have a need to run the service in question.

The exploit happens in the smb client too.

You shouldn't be connecting to SMB shares on the Internet from your servers anyway, so allowing 445 outbound the Internet is what is stupid, you most certainly should block it.

Not sure what you mean by opt-in, every version of windows allows you to type "\\ip\share" in an explorer window for some time now, and I don't believe that feature is a service at all but built into the shell.

Re:

[Pentium100]

I know of some ISPs that block SMB packets on their switches as that is how a lot of viruses spread. Microsoft is never going to make that service secure anyway. How many remote code execution and similar bugs were discovered on that thing? Going all the way back to Windows 2000/XP and Blaster.

Re:

[AmiMoJo]

Microsoft's scheme is to block those services on internet interfaces but not on LAN interfaces. That's why when you connect to a network it asks you if it is public or private or work.

A private or work network has to be firewalled off from the internet. The danger is that if something gets inside the network it can spread quickly, but that's not really a big issue because as we have seen with ransomwear it doesn't even need exploits to do that on most corporate networks. The file shares are just there, the

Re:

[thegarbz]

Blocking it however is stupid

On a local network, yes. On a firewall to another network, no, it's not stupid, it's basic security precaution. There's nothing that port 445 is responsible for that should ever leave your local network.

The big risk is roving machines, i.e. laptops connecting to public untrusted network. Which reminds me, if you're on an untrusted network why not block this port as well?

something like this should absolutely not be running by default so there should be nothing to block.

Except it does more than just file sharing, so yes having it running by default is precisely what systems which work without making users

Re:

[PsychoSlashDot]

Their solution is block file-sharing on servers? Ahahahahahahahahaha

That's not what the summary says. It says that their solution is disabling compression.

Re:

[Dunbal]

You missed this part right at the end:

Microsoft also recommended users block port 445

They could have added "don't turn on your computer and you won't get the worm". Maybe in the next "advisory".

Re:

[xushi]

Build a fire wall and make America On Line great again!

Re:Wow

[Canberra1]

That is the problem 'Microsoft has invested huge amounts of resources hardening against ' What MS lacked was 1) Independant peer review by invited experts 2) State testing. See Certificates. Whoever writes this shit does not know how to do bench testing or state testing. 3) Bounds checking. Still a toy operating system heh. 4) As Agile or Buddy coding lacks doco, BIG things can slip through. 5) Thanks to Intel CPU defects, people can now do better reverse traces. Oopps. Like Intel, Oracle Java and Boeing, the line 'Trust us' has broken. And there is no sign of MS mending arrogant ways.

Re: Wow

[viperidaenz]

Yeah, it's not like decades old bugs don't pop up in the most popular open source security library...

Re:

[swilver]

...written in a language where bounds checking is optional, because it's for people that know what they're doing.

Re:Wow

[Aighearach]

Their solution is block file-sharing on servers? Ahahahahahahahahaha

If you really need SMB you can always migrate your file servers to linux.

Re:

[Aighearach]

If you're not running many services, it should be fine to leave linux without updates.

Re:

[thegarbz]

Or just apply the patch. https://support.microsoft.com/... [microsoft.com]

Re:

[chispito]

Their solution is block file-sharing on servers? Ahahahahahahahahaha

No, their solution is to block SMB on untrusted networks.

Re:

[Opportunist]

I wouldn't be so sure about that. My guess is that they don't list any OSs older because, well, they're EOL, why bother?

Re:

[Merk42]

Windows 8.1 isn't EOL yet, but who uses that?

meanwhile

[iggymanz]

my corporate copy of Windows 7 on a virtual machine continues to get updates

windows 10 must be for losers

Re:

[Dunbal]

Try running Windows 7 on the latest hardware. I had no choice.

Re:meanwhile

[drinkypoo]

You had the choice of running Linux on the hardware, and Windows in a VM. Which is what I'll do when I can no longer run Windows 7 on my machine. I already dual boot Linux, and I can run my Windows 7 install under VMware on Linux, or my Linux install under VMware on Windows. But my next machine will probably be Zen3, and it won't run win7, so it will just have to be in a VM.

Re:

[xonen]

You don't know what his situation is. Maybe he's running some obscure hardware that needs W7 and well, good luck interfacing that from within a VM.

At best you can interface USB and GPU devices from withing your VM. But anything else, from a simple serial port to custom PCI hardware might only run on bare metal.

Claiming a VM as solution for everything shows a very software-oriented mind and is dismissing zillions of edge cases where VM's simply not suffice. Might as well suggest the parent to run ReactOS. Or

Re:

[drinkypoo]

Anyone who bought obscure hardware that is dependent on Windows is already beyond help. They have proven that they make poor decisions.

Re:

[skinfaxi]

Like ...every science lab in existence...

Re:

[xwin]

Windows7 will run on Zen3 just fine. You just need to install wufuc to allow for system updates. I just installed Windows7 on the latest AMD cpu and it works perfectly. Motherboard manufacturers even provide utilities to add USB3 drivers to the Win7 installation CD.

Re: meanwhile

[sectokia]

Last versions of windows 7 end support this year, no patching at all soon. Most versions are already finished,

Re:

[drinkypoo]

That's what they say. But they have a history of releasing critical patches well after EOL, probably because the US government is still using it and insists.

Re:

[antdude]

You paid MS for new critical updates from its WU? :P

Yawn

[jmccue]

Yawn, even the flame fests about Windows issues are getting boring. Like watching reruns of Gilligan's Island. After a long enough period of time you know all the jokes and you watch just to kill time.

Re: Yawn

[phantomfive]

That's what she said.

Re:

[93 Escort Wagon]

How can you not love a mashup of Shakespeare's Hamlet with Bizet's Carmen?

Re:

[inode_buddha]

True dat. This is giving me flashbacks to the 1990's when SMB was a known issue...

Re:

[Anonymous Coward]

This is no joke. Where's the Samba CVE? How can Linux ever compete with Windows if we can't even duplicate their bugs?

So version 3.1.1

[93 Escort Wagon]

That's SMB for Workgroups?

Key term

[Duh-People-Really]

Over the internet.

Why in Gawd's name would you be attaching to a SMB share (of any flavor) over the internet?
If your local network i.e. the shit provided by your company, is vulnerable then the security group should find the people responsible for exploiting this "feature" and fire their asses.

How many Linux SMB installations are vulnerable to this? Microsoft is probably not alone in this.

Re:

[fazig]

Don't forget that we're living in the time of IoT devices everywhere.

Some companies, which I won't name here, have been selling their Home Cloud products to people.
Essentially NAS drives that come with a small server that makes them accessible through the internet. Among other things they do use the SMB protocol for file sharing between their stationary home devices and a mobile device like a laptop.

I guess some half tech savvy people could have had the brilliant idea that they don't need dedicated har

Re:

[Jeremy Allison - Sam]

> How many Linux SMB installations are vulnerable to this?

None.

>Microsoft is probably not alone in this.

Nope. In this case they are, actually. The added an SMB3 transform compression header which Samba doesn't implement (yet). There was a bug in their compression libraries. Hence the bug. Even if we did implement SMB3 transform compression we'd be using different compression libraries (which may have their own bugs of course - compression/decompression code is notoriously hard to get right).

"Wormable" does not cut it

[aberglas]

So I just have my laptop on the internet, and a completely unauthorized attacker can take over my machine. That is appalling.

If I let someone into the house by running a program or opening a document and they manage to become root that is bad. But not NEARLY as bad as an exploit that can be activated cold. Either by just being on the internet or receiving an email.

There are security flaws and there are security flaws, and the popular press does not understand the difference. The word "Wormable" does not really cut it. "Absolute vulnerability" or the like is what it should say.

Re:

[drinkypoo]

It's already true that you can't use Windows without a firewall. This is just one more reason why. Luckily it has a moderately acceptable one built in these days.

Re:

[thegarbz]

So I just have my laptop on the internet, and a completely unauthorized attacker can take over my machine. That is appalling.

Nope. You need to open your laptop on the internet, AND then tell Windows you're on a private network against the warning that you should never do this on the open internet, AND you need to not be behind NAT or a firewall.

There are security flaws and there are security flaws, and the popular press does not understand the difference.

Evidently neither do Slashdot posters. If this were the 90s and we still connected to the internet like in the 90s this would be wormable. But we don't so it's not.

The problem runs deeper

[Opportunist]

It's one of those classic Windows problems, that you can't just turn a service for X off without affecting Y, Z and a bunch of others where you wonder why the fuck they depend on a service that should have nothing to do with them. In a sensible system, you could now simply ponder whether you need file sharing and if not, turn the service off and be done with it. Not so in Windows. Try to disable that service, I dare you.

Re:

[thegarbz]

Last I saw disabling samba in Linux also prevents you from joining domain controllers, printing to network printers, and doing anything else that uses that protocol. You're (very mistaken) view is that this is just for file sharing.

Also it's not a classic windows problem as in the 90s we learnt to block external network attempts at samba ports. Even now Windows 10 will block the service by default if the network you're connected to is considered "Public" and if you allow access to the ports used for samba f

Re:

[Jeremy Allison - Sam]

> All these samba exploits have been a big *yawn*. Wormable it may be in theory, but a threat it won't be in practice.

Just a correction. This is not a Samba exploit. It's an exploit in Microsoft's implementation of the SMB3 protocol (which is native on Windows). Samba is *not* the same as the protocol - it's actually a separate open source project that implements SMB1/2/3 - https://samba.org./ [samba.org.]

Yeah I know it's easy to get the two mixed up. Even Microsoft marketing have done so on occasion :-).

Editors???

[fred911]

At least verify a command recommend to readers is error free.

  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

(notice no trailing . included in the '')

Kinda makes a difference, especially for JoeSixpack

Re:

[WallyL]

Wow, for some dumb reason I never learned that manipulating the registry from Powershell was that easy. But then again, I moved to Linux to avoid Windows 10...

If you are into security

[ReneR]

you might like my IT Security Chronicle channel: https://www.youtube.com/watch?... [youtube.com]

Turned off at the command line??

[NathanWoodruff]

If this can be turned off at the command line, couldn't a virus execute the same command at the command line to turn it on??

Asking for a friend.

Re:

[The-Ixian]

If an attacker has admin-level permission to run the command, you are already pwned....

Re:

[NathanWoodruff]

Doesn't "call cmd" from the command line give you a new command prompt with admin permissions or was that only in Windows XP? I'm not anywhere I can test that out on windows 10.

I'm not sure if Microsoft has fixed that with Window XP either.

Question

[technology_dude]

Is a Windows client with file and print sharing enabled not a "server"? Most of what I am reading says to patch the servers (1903 and above) and those are relatively rare at this point but there are a ton of 1903 and above clients. I understand the file and print sharing should be avoided as much as possible but I'm not clear on whether I should push out the registry setting mentioned in the work around or not. There is no major downside that I can see by implementing the work around so I will probably j

Re: Question

[bn-7bc]

Hmm interesting point, I think clients sharing files is rather uncommon in corporate networks, and home users generally donâ(TM)t Read these announcements, so the focus on patching servers is understandable. But yea you are right a âoeclientâ serving files is indeed a âoeserverâ as it runs server software I guess. But the general deffinision of a server might be the thing in the rack âoesomewhereâ and not the device on my desk( yea yea my 1/4 rack is on my desk you insensi

No

[bn-7bc]

"the service that's used to share files, printers, and other resources on local networks and over the internet" while I agree with the lan bit, as for wan No, just No, smb dies not go acroos the Internet (well not outside a vpn tunnel at least) did equiax teach is nothing,SMB/CIFS is plocked at the border firewall

Pathces are now available

[jbmartin6]

https://portal.msrc.microsoft.... [microsoft.com]


In other silver linings, home PCs all have SMB to the internet blocked by default and most home routers don't have any inbound forwarding rules. Meanwhile, enterprises which are more likely to get hit by a worm lave likely not yet migrated to 1903+ in most cases.

SMB again

[gweihir]

This thing seems to be vulnerable again and again and again. Typical MS "quality" level software.

Re:

[thegarbz]

Just as well Linux and Mac never has security issues.

(Copy of a comment I posted at Arstechnica).

[Jeremy Allison - Sam]

Microsoft hasn't contacted us (Samba) so this almost certainly isn't a protocol level bug (they're *very* good about being proactive on these), but an error in their implementation of the SMB3 compression transform.

In other words, a typical buffer overrun in a compression library. Gee, wonder where I've seen these before.

Currently Samba doesn't implement that specific SMB3 compression transform header (we do implement the SMB3 encryption transform header, which isn't vulnerable), an example where being slow

MICROS~1 strikes again :]

[notdecnet]

MICROS~1 the company that made typing dangerous.