Report DIVD-2020-00006 - SMBv3

Written on 08 Apr 2021 by Jeroen van de Weerd

Case lead: Sander Spierenburg
Case file: DIVD-2020-00006

March 10, 2020, Microsoft published information about a serious vulnerability in Microsoft’s Server Block Protocol version 3.

A buffer overflow vulnerability in Kernel Address Space could be exploited with a specially crafted compressed file. A simple exploit would result in the Blue Screen Of Death. A more sophisticated attack would make it possible to execute unauthorized commands on the vulnerable system. An attacker could gain system privileges.

There were similarities with both Wannacry and NotPetya who both used SMBv1 to spread quickly around the world. SMB allows different users to use common folders, fertile breeding ground, in terms of lateral movement and client-to-client infection, similar to previous SMB exploits. However, this was no Wannacry 2.0.

‘It was a critical vulnerability but there was a patch for it pretty soon,’ says DIVD’s case lead Sander Spierenburg. ‘we emphasized that case that people would know such a vulnerability was there. The impact of that vulnerability was not that big because the presence of SMBv3 implementation is not that big yet.’

March 10 a scan was done on Dutch IP addresses. There were about 200 IP addresses with SMBv3.1.1. running and compression enabled. Notifications were sent by DIVD partner CleanNetworks.

DIVD warned that there was a serious threat to office networks using Windows 10. For client systems, it is not possible to disable compression in SMBv3. Opening a link to a rogue SMBv3 server can be enough to execute unauthorized code on the client. A workaround was disabling compression or blocking TCP port 445.

March 11 a worldwide scan by DIVD showed there were 62.000 IP addresses with SMBv3.1.1. running and compression enabled. The next day there were 32.000 vulnerable IP addresses. It was not clear why. Maybe some big ISP’s closed port 445.

March 12 Sophos Labs Offensive Security Team seemed to show a working exploit the same day Microsoft published a patch. After the patch was released, it was not possible anymore to find vulnerable systems only by scanning, so no additional scans were performed.

December 3 2020 this case was closed.