HomeWinBuzzer NewsMicrosoft Rolls out a Patch for Leaked SMBv3 Vulnerability

Microsoft Rolls out a Patch for Leaked SMBv3 Vulnerability

Admins are urged to apply the SMBv3 vulnerability patch right away to avoid a potential WannaCry-like crisis.


is rolling out a patch for the SMBv3 vulnerability it let slip earlier this week. The ‘wormable' bug was inadvertently revealed in the lead up to March's Patch Tuesday, despite no mitigation rolling out with the updates.

Summaries of the bug were posted by Cisco Talos and Fortinet, who were given early access to the information and published it after a miscommunication. Attackers can exploit the bug by sending a specially crafted packet to a target SMBv3 server, allowing them to take complete control of vulnerable systems.

According to Microsoft, the issue exists int he way SMBv3 handles certain requests and is classed as a buffer overflow. To make use of the bug, an attacker would have to configure a malicious SMB server in a certain way and convince them to connect to it.

The vulnerability has raised particular concern due to the use of SMB by ransomwares WannaCry and NotPetya. Several security researchers said it took them no more then five minutes to find the bug's location in SMB code after the advisories were published. Some have also developed proof of concepts, suggesting it won't be too long until we see this in use in the wild.

Thankfully, researchers think this won't have as big of an impact as the aforementioned ransomware. In the case of , the exploit fell in SMBv1, which sees much wider usage. Rendition Security's Jake Williams also said there may be some kernel mitigation.

“Core SMB sits in kernel space and KASLR is great at mitigating exploitation,” he tweeted. “Assuming this is kernel space, any unsuccessful exploitation results in [the blue screen of death] BSOD. Even with trigger code, you still have to remotely bypass KASLR (not an easy task). If you need proof, look at BUCKEYE. They had the EternalBlue trigger, but had to chain it with another information disclosure vulnerability to gain code execution. This isn't easy.”

Still, at this point, there are still many unknowns. Server administrators should patch immediately, even if they have applied previous mitigations to block TCP port 445.

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News