It seems the vulnerability is a wormable flaw similar to BlueKeep and was sent out with Microsoft’s March Patch Tuesday. Both Cisco Talos and Fortinet confirmed the leak, which is now tracking at CVE-2020-0796. Fortinet points out the Server Message Block vulnerability is “a Buffer Overflow Vulnerability in Microsoft SMB Servers”. The company has assigned the bug with its highest critical rating. “The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet,” Fortinet adds. “A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.” Cisco Talos offered a similar description, saying the bug leaves systems open to a wormable attack that can move easily from victim to victim. Interestingly, the security firm later removed the messages without providing an explanation. You may remember the SMB protocol was also used to spread the WannaCry and NotPetya ransomware attacks in 2017. That said, Fortinet says there are no current dangers to organizations because there is no exploit for the vulnerability. Sure, details of the bug are now available to attackers, but the company does not expect exploits to be coming. Not least because the flaw only affects Windows 10 v1903, Windows10 v1909, Windows Server v1903, and Windows Server v1909.
Microsoft Advisory
The obvious question is how Microsoft leaked details of such a critical vulnerability before a patch is available. Redmond has published an advisory with the following details: “Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. “To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”