MS08-067 was possibly the most popular vulnerability of the 2000s. It allows remote code execution, pre-authentication, against all default Windows operating system configurations of the time. While SMB, should never be exposed on the Internet, once on the internal network, almost all windows systems have it enabled.

Exploitation is trivial (point and shoot) through metasploit: https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi

This exploit was widely used and most notably known for the Conficker worm: https://en.wikipedia.org/wiki/Conficker

Summary

SMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered “wormable”. Microsoft did not release a patch in March 2020 Patch Tuesday. Update 3/12/2020: Microsoft released an out of band patch

Narrative

Microsoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: “CVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.”

Microsoft then released an advisory with more information: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005
“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

CERT followed: https://www.kb.cert.org/vuls/id/872016/

Impact

This issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.

Affected Population

Impacted systems must run SMB v3.11. Compression is enabled by default.
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)

Identify Vulnerable Hosts

Method to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394

Workaround

Disable SMBv3 compression via registry as specified in ADV200005.
Server: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
Client: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force

Update 3/12/2020

Microsoft released an out of band patch: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796