Microsoft is rolling out a patch for the SMBv3 vulnerability it let slip earlier this week. The ‘wormable’ bug was inadvertently revealed in the lead up to March’s Patch Tuesday, despite no mitigation rolling out with the updates.
Summaries of the bug were posted by Cisco Talos and Fortinet, who were given early access to the information and published it after a miscommunication. Attackers can exploit the bug by sending a specially crafted packet to a target SMBv3 server, allowing them to take complete control of vulnerable systems.
According to Microsoft, the issue exists int he way SMBv3 handles certain requests and is classed as a buffer overflow. To make use of the bug, an attacker would have to configure a malicious SMB server in a certain way and convince them to connect to it.
The vulnerability has raised particular concern due to the use of SMB by ransomwares WannaCry and NotPetya. Several security researchers said it took them no more then five minutes to find the bug’s location in SMB code after the advisories were published. Some have also developed proof of concepts, suggesting it won’t be too long until we see this in use in the wild.
Thankfully, researchers think this won’t have as big of an impact as the aforementioned ransomware. In the case of WannaCry, the exploit fell in SMBv1, which sees much wider usage. Rendition Security’s Jake Williams also said there may be some kernel mitigation.
“Core SMB sits in kernel space and KASLR is great at mitigating exploitation,” he tweeted. “Assuming this is kernel space, any unsuccessful exploitation results in [the blue screen of death] BSOD. Even with trigger code, you still have to remotely bypass KASLR (not an easy task). If you need proof, look at BUCKEYE. They had the EternalBlue trigger, but had to chain it with another information disclosure vulnerability to gain code execution. This isn’t easy.”
Still, at this point, there are still many unknowns. Server administrators should patch immediately, even if they have applied previous mitigations to block TCP port 445.