ACSC warns of critical vulnerability in Microsoft OS

The Australian Cyber Security Centre (ACSC) has warned Microsoft Server admins to patch their systems immediately following the discovery of a serious vulnerability affecting MS Message Block 3.1.1 (SMBv3). 
 

The “wormable” remote code execution (RCE) vulnerability, which effectively allows hackers to run code on exposed machines with system-level privileges, has the potential to cripple government systems.

Christened by cyber researchers as EternalDarkness, the flaw exposes a protocol called CVE-2020-0796, potentially giving attackers arbitrary code execution in both SMB Server and SMB Client. 

The name is a direct reference to EternalBlue, an SMB (Server Message Block) flaw that was widely used by hackers as an exploit vector in the 2017 WannaCry and NotPetya ransomware outbreaks.

The clear similarity between the exploits raises particular concern among cyber researchers, with the 2017 outbreaks causing mass disruption to the UK's National Health Service (NHS) as well as crippling transportation, automotive and telecommunications companies in Europe, the ACSC said.

EternalDarkness is believed to be ‘wormable’, meaning it could be developed to propagate, or ‘worm’ through, vulnerable computer systems automatically, with no user interaction whatsoever, according to the ACSC.

The flaw has been described by cybersecurity developer Fortinet as "a Buffer Overflow Vulnerability in Microsoft SMB Servers".

"The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet," Fortinet said. "A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application."

Details about the flaw were mistakenly leaked last week on one of Microsoft’s Patch Tuesday blog posts. Microsoft subsequently acknowledged the vulnerability publicly and published an advisory for it.

The ACSC said it “currently not aware of any publicly available exploits for the EternalDarkness vulnerability at this time, however it is likely one will be developed in the near future”. 

Microsoft has identified the following versions of Windows to be vulnerable to EternalDarkness: Windows 10 Version 1903 (32 bit, x64 and ARM64); Windows 10 Version 1909 (32 bit, x64 and ARM64); Windows Server, version 1903; and Windows Server, version 1909.

The Windows security vulnerability patch CVE-2020-0796 can be accessed at CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability.