U.S. cybersecurity officials are warning of a three-month-old Windows 10 vulnerability and proof-of-concept code that could allow a bad actor to execute code on a compromised machine.
Malicious cyber actors are targeting unpatched systems with the new proof of concept code, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) says in a warning.
CISA recommends using a firewall to block SMB ports from the internet and to apply patches to critical and high-severity vulnerabilities as soon as possible.
According to Forbes, Microsoft disclosed and provided updates for the vulnerability in March, but unpatched systems are being targeted with the new proof-of-concept code.
The vulnerability is called CVE-2020-0796, but it’s better known as SMBGhost, the publication says.
CVE-2020-0796, better known today as SMBGhost, was thought so dangerous were it to be weaponized that it merited that rarest of common vulnerability scoring system (CVSS) ratings: a “perfect” 10. Microsoft was quick to act. It issued an emergency out of band fix within days.
SMBGhost is a fully wormable vulnerability that could enable remote and arbitrary code execution and, ultimately, control of the targeted system if a successful attack was launched. The vulnerability, in Microsoft’s Server Message Block 3.1.1, allows for a maliciously constructed data packet sent to the server to kick off the arbitrary code execution.
However, if not every at-risk device was updated automatically, some machines are still exposed, according to Forbes.
Such an attack would require both an unpatched and vulnerable Windows 10 or Windows Server Core machine and, crucially, working and available exploit code. The former should have been sorted by the emergency update being applied automatically, but that assumes every device at risk would have automatic updates enabled.
What IT administrators should do:
- Ensure automatic updates are enabled on every device within the organization
- Install the update on vulnerable devices
- Read Microsoft’s security guidance, advisory and CEERT Coordination Center’s Vulnerability Note.