Microsoft patches SMBv3 wormable bug that leaked earlier this week

Emergency out-of-band fix for CVE-2020-0796 is now rolling out to Windows 10 and Windows Server 2019 systems worldwide.

patching-windows-10.jpg

Microsoft has released today a patch for a vulnerability in the SMBv3 protocol that accidentally leaked online earlier this week during the March 2020 Patch Tuesday preamble.

The fix is available as KB4551762, an update for Windows 10, versions 1903 and 1909, and Windows Server 2019, versions 1903 and 1909.

The update fixes CVE-2020-0796 (SMBGhost), a vulnerability in Server Message Block, a protocol for sharing files, printers, and other resources on local networks and the Internet.

The bug allows attackers to connect to remote systems where the SMB service is enabled and run malicious code with SYSTEM privileges, allowing for remote takeovers of vulnerable systems.

Earlier this week, due to what looks like a miscommunication between Microsoft and some antivirus vendors, details about this bug leaked online.

Antivirus vendors said the bug could be weaponized to develop self-spreading SMB worms, similar to the capabilities used by the WannaCry and NotPetya ransomware strains in 2017.

While Microsoft was not initially planning to release fixes this month, the company was eventually forced to push today's patch after the cat was out of the bag.

Today's fixes come just in time. Since Tuesday, several security researchers have told this reporter that it only took them five minutes to find the bug's location in the SMB driver's code.

Some researchers have also developed basic proof-of-concept demos, showing how they used the vulnerability to cause crashes on vulnerable machines.

Microsoft said that the vulnerability only impacts Windows 10 and Windows Server 2019 (both v1903 and v1909) systems.

Cyber-security firm Kryptos Logic said today it identified around 48,000 hosts across the internet that had the SMB port exposed to the internet and were vulnerable to potential attacks using this bug.

For users who can't install today's patch right away, Microsoft has detailed mitigation advice in a separate security advisory.