What you need to know
- Details about a vulnerability in the Microsoft Server Message Block leaked online recently.
- A patch for the bug is not included in Microsoft's March 2020 Patch Tuesday updates.
- While the bug is present, the exploit code was not leaked, meaning an attack is less likely.
Details of a vulnerability in the Microsoft Server Message Block (SMB) leaked recently. The bug is a wormable vulnerability and appeared in published summaries by cyber-security firms Cisco Talos and Fortinet. The bug, which is labeled, CVE-2020-0796, did not receive a patch in the Microsoft March 2020 Patch Tuesday updates, so it will be unpatched for at least a short period of time.
Fortinet states that the bug allows "Remote attackers [to] gain control of vulnerable systems." The full description explains how vulnerability is caused by an error when handling data packets:
This indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.
While the bug is present and unpatched at the moment, the risk of an attack isn't high. ZDNet points out that while the details of the bug are online, no exploit code was leaked. Additionally, the bug only impacts SMBv3, which is only in the latest versions of Windows. Specifically, Windows 10 version 1903, Windows 10 version 1909, Windows Server version 1903, and Windows Server version 1909 are affected by the bug.
Microsoft did not respond to ZDNet for comment, and it's currently unclear how the leak happened. There's a chance that Microsoft sent out details about the bug to trusted partners and then removed the bug from its list with a short timeframe for companies like Cisco Talos and Fortinet to remove the details from security advisories.
It's also possible that the information was scraped by companies heading up to Patch Tuesday. If this is the case, it means the bug was going to be patched but wasn't. It would mean that Microsoft forgot to remove it from the Microsoft API serving Patch Tuesday details. ZDNet's Catalin Cimpanu reports that the API is down now.
When Cisco Talon listed the vulnerability, it stated that "Users are encouraged to disable SMBv3 compression and block TCP port 445 on firewalls and client computers."