COMING TO A NETWORK NEAR YOU —
Once elusive, remote code execution is looking increasingly likely.
A researcher has published exploit code for a Microsoft Windows vulnerability that, when left unpatched, has the potential to spread from computer to computer with no user interaction.
So-called wormable security flaws are among the most severe, because the exploit of one vulnerable computer can start a chain reaction that rapidly spreads to hundreds of thousands, millions, or tens of millions of other vulnerable machines. The WannaCry and NotPetya exploits of 2017, which caused worldwide losses in the billions and tens of billions of dollars respectively, owe their success to CVE-2017-0144, the tracking number for an earlier wormable Windows vulnerability.
Also key to the destruction was reliable code developed by and later stolen from the National Security Agency and finally published online. Microsoft patched the flaw in March 2017, two months before the first exploit took hold.
Puppies will die
Proof-of-concept exploit code for the new wormable Windows vulnerability was published on Monday by a Github user with the handle Chompie1337. The exploit isn’t reliable and frequently results in crashes that present a BSOD, shorthand for the “blue screen of death” Windows displays during system failures. Regardless, the code still serves as a blueprint that, with more work, could be used to remotely compromise vulnerable machines and then spread.
“This has not been tested outside of my lab environment,” the Github user wrote. “It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die.”
SMBGhost, the name given to the new Microsoft vulnerability, is likely not as easy to exploit by remote attackers, but its potential for wormable exploits and the slow rate of patching even critical security flaws have still stoked concerns among some security professionals. Microsoft has said that the chances of malicious exploits are “more likely.”
Like the flaw exploited by WannaCry and NotPetya, it resides in the Windows implementation of the Server Message Block, a service used by operating systems to share files, printers, and other resources on local networks and over the Internet. Like the older flaw, the newer one can be remotely exploited simply by sending maliciously crafted packets to a SMB port connected to the Internet.
Tracked as CVE-2020-0796, the flaw resides in Windows 10 versions 1903 and 1909 and in Windows Server versions 1903 and 1909 if they haven’t been patched. All are relatively new OS releases, and Microsoft has invested huge amounts of resources hardening them against precisely these types of attacks. Up until now, researchers have only been able to exploit the bug locally, meaning once they have already gained limited access in a network. By contrast, the ability to use exploits to gain RCE, short for remote code execution, have proved much more elusive.
“This is probably because remote kernel exploitation is very different from local exploitation in that an attacker can’t utilize useful OS functions such as creating userland processes, referring to PEB [Process Environment Block], and issuing system calls,” researchers from Ricerca Security wrote in a detailed post published in April. “Accompanied with mitigations introduced in Windows 10, this limitation makes the achievement of RCE much more challenging.”
The result of the newly released exploit is that it increases the chances of attackers developing worms that work remotely.
Laggard, patch thyself
Reports of the vulnerability were disclosed and then quickly depublished by security firm Fortinet and Cisco security group Talos on March 10, the regularly scheduled Update Tuesday for that month. No one ever explained why the flaw details were released and then pulled. Two days later, Microsoft issued an unscheduled update that patched the vulnerability.
“We recommend customers install updates as soon as possible as publicly disclosed vulnerabilities have the potential to be leveraged by bad actors,” Microsoft officials wrote in a statement on Friday. “An update for this vulnerability was released in March, and customers who have installed the updates, or have automatic updates enabled, are already protected.”
Workarounds that mitigate exploits but don’t actually fix the underlying vulnerability include:
- Disabling SMB compression
- Blocking port 445
As the world learned from WannaCry and NotPetya, Windows users often wait months or longer to install critical software updates. Sometimes, the inaction is the result of inattention, but often it’s because patches break core functions inside a network. Still other times it’s because operators aren’t at liberty to shut down their systems for the length of time required to install the patch and make changes to incompatible components or services.
Independent researcher Troy Mursch said he has been seeing “opportunistic mass scanning” for the vulnerability, an indication that attackers have been scoping out vulnerable networks. With reliable exploits looking more likely, now would be a good time for laggards to finally install the patch.