Microsoft leaks presence of unpatched wormable exploit in Windows 10 SMB Servers

Microsoft has accidentally revealed the presence of a wormable exploit in the SMBV3 protocol during their Patch Tuesday infodump, but without releasing a patch for the same flaw, leaving all recent installations vulnerable.

Affected PCs of the CVE-2020-0796 vulnerability include Windows 10 v1903, Windows10 v1909, Windows Server v1903, and Windows Server v1909.

It is suspected that Microsoft was planning to release a patch this Patch Tuesday, but pulled it at the last minute, but still included the details of the flaw in their Microsoft API, which some antivirus vendors scrape and subsequently publish. That API is currently down, and vendors such as Cisco Talos who published details have now deleted their reports.

SMB is the same protocol as exploited by the WannaCry and NotPetya ransomware but thankfully on this occasion, no exploit code has been released.

Full details of the flaw have not been published, but it is understood to be a buffer overflow in the Microsoft SMB Server that occurs “…due to an error when the vulnerable software handles a maliciously crafted compressed data packet.” Security company Fortinet  notes “a remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.”

No patch has been released, but there is some mitigation available.

In their unpublished advice Cisco Talos’ suggested:

“Users are encouraged to disable SMBv3 compression and block TCP port 445 on firewalls and client computers.”

Update: The full advisory can now be read at Microsoft here. Microsoft notes the workaround above will protect the server but not affected clients.

Read more about the issue at ZDNet here.