HomeWinBuzzer NewsMarch Patch Tuesday Leaked Details of a Wormable Server Message Block Vulnerability

March Patch Tuesday Leaked Details of a Wormable Server Message Block Vulnerability

Microsoft’s Patch Tuesday accidentally leaked details of a bug in Server Message Block (SMB) that has been described as wormable.


has been subject to an embarrassing leak this week. Security researchers have revealed a new vulnerability found in the Microsoft Server Message Block (SMB) protocol has been accidentally leaked.

It seems the vulnerability is a wormable flaw similar to BlueKeep and was sent out with Microsoft's March Patch Tuesday. Both Cisco Talos and Fortinet confirmed the leak, which is now tracking at CVE-2020-0796.

Fortinet points out the Server Message Block vulnerability is “a Buffer Overflow Vulnerability in Microsoft SMB Servers”. The company has assigned the bug with its highest critical rating.

“The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet,” Fortinet adds. “A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.”

Cisco Talos offered a similar description, saying the bug leaves systems open to a wormable attack that can move easily from victim to victim. Interestingly, the security firm later removed the messages without providing an explanation.

You may remember the SMB protocol was also used to spread the WannaCry and NotPetya ransomware attacks in 2017. That said, Fortinet says there are no current dangers to organizations because there is no exploit for the vulnerability.

Sure, details of the bug are now available to attackers, but the company does not expect exploits to be coming. Not least because the flaw only affects v1903, Windows10 v1909, Windows Server v1903, and Windows Server v1909.

Microsoft Advisory

The obvious question is how Microsoft leaked details of such a critical vulnerability before a patch is available. Redmond has published an advisory with the following details:

“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News