Microsoft delivers emergency patch to fix wormable Windows 10 flaw, Ars Technica

(versions) and for clients and servers. Although the vulnerability is difficult to exploit in a reliable way, Microsoft and outside researchers consider it critical because it opens large networks to “wormable” attacks, in which the compromise of a single machine can trigger a chain reaction that causes all other Windows machines to quickly become infected. That’s the scenario that played on with the WannaCry and NotPetya in 2020. In a bulletin accompanying Thursday’s patch , Microsoft said it has no evidence the flaw is being actively exploited, but the company went on to label the bug as “exploitation more likely.” That designation means malicious actors will probably develop and use exploits in the future. Microsoft officials wrote: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it. The Security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests. Shortly after Microsoft issued the out-of-band fix, researchers at security firm Sophos published an analysis that elaborated on the vulnerability . It said: The vulnerability involves an integer overflow and underflow in one of the kernel drivers. The attacker could craft a malicious packet to trigger the underflow and have an arbitrary read inside the kernel, or trigger the overflow and overwrite a pointer inside the kernel. The pointer is then used as [a] destination to write data. Therefore, it is possible to get a write-what-where (primitive in the kernel address space.

Roughly translated, the details mean that attackers with a well-written exploit might be able to read plain-text passwords or other data sensitive data and could also obtain a command shell that can be used to take control of the vulnerable machine. EternalBlue — an earlier SMB exploit developed by and later stolen from the National Security Agency — also obtained a read-write capability to replace an inbound function in an inbound SMB function with a malicious function. That allowed the attacker to execute malicious code the next time a vulnerable machine. Multiple ways to exploit The Sophos write-up said malicious hackers could use the exploit in at least three scenarios:

(Scenario 1:) The attacker targets a machine sharing files. If a user or administrator has changed default settings to open port 445 or disabled the Windows firewall, or if the machine belongs to a Windows Domain, the machine is open to a remote form of attack that allows attackers to take control. “It goes without saying that any unpatched system with the vulnerable SMB port open to the public Internet could become a target of opportunity for a worm-like outbreak, similar to WannaCry, “members of the SophosLabs offensive security team wrote in Thursday’s blog post. “The mitigating factor is that it requires an attacker with a state-of-the-art exploit that could bypass all the security mitigation Microsoft has built in to Windows 20 and that the target has port / tcp open for incoming connections. ” (Scenario 2:) An attacker tricks a user into connecting to a malicious server. Attackers could use spammed messages that contain links that, when clicked, cause the vulnerable machine to join the attacker’s malicious network. With that, the attacker would have full control over the machine. A variation: the attacker who already has limited access to a network spoofs a trusted device inside the organization. Machines that use SMBv3 to connect to that spoofed machine are then compromised. When the two variations are combined, this type of attack might be useful in gaining initial access to a targeted network and then pivoting to more privileged or sensitive machines. A disadvantage from the attacker’s standpoint is that these types of exploits require the social engineering of a targeted user. (Scenario 3:) An attacker who gains limited access to a vulnerable computer through other means, exploits the SMBv3 flaw to run malicious code that has the same system rights as the targeted user. From there, attackers might be able to further elevate privileges to those of SYSTEM. Sophos demonstrated this third attack scenario in the video below: