A researcher has released exploit code for a Microsoft Windows vulnerability that, if left unpatched, can spread from computer to computer without user interaction.
So-called wormable vulnerabilities are among the most serious, as exploiting a vulnerable computer can trigger a chain reaction that quickly spreads to hundreds of thousands, millions, or tens of thousands of other vulnerable computers. The 2017 WannaCry and NotPetya exploits, which caused billions and billions in losses worldwide, owe their success to CVE-2017-0144, the tracking number for an earlier vulnerable Windows vulnerability.
The key to the destruction was also reliable code that was developed by the National Security Agency and later stolen and finally published online. Microsoft fixed the bug in March 2017, two months before the first exploit started.
Puppies will die
Proof-of-concept exploit code for the new vulnerable Windows vulnerability was released on Monday by a github user using the Chompie1337 handle. The exploit is not reliable and often leads to crashes that represent a BSOD, short for the "blue screen of death" that Windows displays in the event of a system failure. Regardless, the code still serves as a blueprint that could be used with more work to remotely compromise and then spread vulnerable computers.
"This has not been tested outside of my laboratory environment," wrote the Github user. “It was written quickly and needed some work to be more reliable. Sometimes you are BSOD. Using this for a purpose other than self-education is an extremely bad idea. Your computer will go up in flames. Puppies will die. "
SMBGhost, the name for the new Microsoft vulnerability, may not be as easy to exploit for remote attackers, but the potential for wormable exploits and the slow patch rate of even critical vulnerabilities have still raised concerns among some security experts. Microsoft has said that the likelihood of malicious exploits is "more likely".
Like the bug exploited by WannaCry and NotPetya, it resides in the Windows implementation of the Server Message Block, a service used by operating systems to share files, printers, and other resources on local networks and over the Internet. Like the older bug, the newer bug can be exploited remotely by sending maliciously crafted packets to an SMB port connected to the Internet.
The bug tracked as CVE-2020-0796 is in Windows 10 versions 1903 and 1909 and in Windows Server versions 1903 and 1909 if they have not been patched. All of them are relatively new versions of the operating system, and Microsoft has invested enormous amounts of resources to protect them against this type of attack. So far, researchers have only been able to exploit the error locally, ie as soon as they have already been given restricted access in a network. In contrast, the ability to use exploits to get RCE, short for remote code execution, has proven to be much more difficult.
"This is probably because remote kernel usage is very different from local usage because an attacker does not use useful operating system functions such as creating userland processes, referencing Process Environment Block [PEB], and issuing system calls may, "researchers from Ricerca Security wrote in a detailed article published in April. "In conjunction with the remedies introduced in Windows 10, this limitation makes reaching RCE much more difficult."
The result of the newly released exploit is that it increases the likelihood that attackers will develop worms that work remotely.
Laggard, patch up
The vulnerability was released and was quickly released on March 10, the regularly scheduled update Tuesday for this month, by security firm Fortinet and Cisco security group Talos. Nobody ever explained why the bug details were published and then pulled. Two days later, Microsoft released an unscheduled update that resolved the vulnerability.
"We encourage customers to install updates as soon as possible because publicly disclosed vulnerabilities can potentially be exploited by bad actors," Microsoft employees said in a statement Friday. "An update to this vulnerability was released in March. Customers who have installed the updates or enabled automatic updates are already protected."
Workarounds that mitigate exploits but do not address the underlying vulnerability include:
- Disable SMB compression
- Block port 445
As the world has learned from WannaCry and NotPetya, Windows users often wait months or more to install important software updates. Sometimes inactivity is the result of inattentiveness, but often it is because patches disrupt core functions within a network. In other cases, it is because operators are not free to shut down their systems for the time it takes to install the patch and make changes to incompatible components or services.
Independent researcher Troy Mursch said he saw "opportunistic mass scanning" after the vulnerability, an indication that attackers have found vulnerable networks. With reliable exploits more likely, strikers would now have a good time to finally install the patch.