If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
SMB v3.11 flaw SMBGhost Windows 10 exploit actively exploited (fixed in Win10 v2004)
Eternal Darkness flaw in Windows 10 sounds scary as hell, best to patch it now
https://www.pcgamer.com/eternal-darkness-flaw-in-windows-10-sounds-scary-as-hell-best-to-patch-it-now/ "Eternal Darkness/SMBGhost affects version 3.11 of the protocol, which as ThreatPost points out, is the same version that was targeted by the WannaCry ransomware a couple of years ago. And like WannaCry, it has the ability to 'worm' its way through a network to quickly infect multiple PCs." -- "You could also apply the May 2020 Update for Windows 10 (version 2004) if you have been putting that off, as this does not affect the latest release." |
Ads |
#2
|
|||
|
|||
SMB v3.11 flaw SMBGhost Windows 10 exploit actively exploited (fixed in Win10 v2004)
Arlen Holder wrote:
Eternal Darkness flaw in Windows 10 sounds scary as hell, best to patch it now https://www.pcgamer.com/eternal-darkness-flaw-in-windows-10-sounds-scary-as-hell-best-to-patch-it-now/ "Eternal Darkness/SMBGhost affects version 3.11 of the protocol, which as ThreatPost points out, is the same version that was targeted by the WannaCry ransomware a couple of years ago. And like WannaCry, it has the ability to 'worm' its way through a network to quickly infect multiple PCs." "Microsoft explains that "the vulnerability exists in a new feature that was added to Windows 10 version 1903" and that "older versions of Windows do not support SMBv3.1.1 compression." " Added for the benefit of Windows 7 owners (who might have been searching for a patch for it). Paul |
#3
|
|||
|
|||
SMB v3.11 flaw SMBGhost Windows 10 exploit actively exploited (fixed in Win10 v2004)
On Wed, 10 Jun 2020 15:15:34 -0400, Paul wrote:
"Microsoft explains that "the vulnerability exists in a new feature that was added to Windows 10 version 1903" and that "older versions of Windows do not support SMBv3.1.1 compression." Hi Paul, I was confused as to whether Microsoft "re-introduced" this bug, much like Apple is wont to do... Did Microsoft know about this... then patch it... and then, later, re-introduce it? -- If so, that's really bad QA. |
#4
|
|||
|
|||
SMB v3.11 flaw SMBGhost Windows 10 exploit actively exploited(fixed in Win10 v2004)
Arlen Holder wrote:
On Wed, 10 Jun 2020 15:15:34 -0400, Paul wrote: "Microsoft explains that "the vulnerability exists in a new feature that was added to Windows 10 version 1903" and that "older versions of Windows do not support SMBv3.1.1 compression." Hi Paul, I was confused as to whether Microsoft "re-introduced" this bug, much like Apple is wont to do... Did Microsoft know about this... then patch it... and then, later, re-introduce it? A patch for a CVE can be delivered multiple times. Maybe a first patch, just disables an errant feature, until a real patch can be put together. Then a later delivery (with a bumped sub-version number), removes the temporary patch and fits a proper patch. Or, if the original patch didn't really fix a problem, the patch could come back later. I don't really track these, because there's a good chance if this gets inside my computer room, it's a "wipeout". What I don't do, is expose SMB on my Internet connection (computer not connected directly to broadband modem). To patch the variety of OSes running here at any one time would be a chore, and probably not something I would "do with much style". It would be about as much fun and excitement, as stamp collecting. I did one patch here, of that variety, and I had to back it out, because it broke functionality. And other people weren't seeing the same symptoms either. What do you do then ? Paul |
#5
|
|||
|
|||
SMB v3.11 flaw SMBGhost Windows 10 exploit actively exploited (fixed in Win10 v2004)
Arlen Holder wrote:
Eternal Darkness flaw in Windows 10 sounds scary as hell, best to patch it now https://www.pcgamer.com/eternal-darkness-flaw-in-windows-10-sounds-scary-as-hell-best-to-patch-it-now/ "Eternal Darkness/SMBGhost affects version 3.11 of the protocol, which as ThreatPost points out, is the same version that was targeted by the WannaCry ransomware a couple of years ago. And like WannaCry, it has the ability to 'worm' its way through a network to quickly infect multiple PCs." Sigh! The 'Paul Lilly' character who wrote this, can't read, because 'ThreatPost' does *not* 'point out' what Paul Lilly claims he points out! For those with even a tad of knowledge in this area, it would be obvious that 'ThreatPost' would be unlikely to have said that, because WannaCry did not target SMB version 3.11 [sic], but version 1! So what *did* 'ThreatPost' *actually* say in his post which Paul Lilly points to?: 'SMBGhost RCE Exploit Threatens Corporate Networks' https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391 "Microsoft patched the bug tracked as CVE-2020-0796 back in March; also known as SMBGhost or CoronaBlue, it affects Windows 10 and Windows Server 2019. It exists in version 3.1.1 of the Microsoft Server Message Block (SMB) protocol the same protocol that was targeted by the infamous WannaCry ransomware in 2017. SMB is a file-sharing system that allows multiple clients to access shared folders, and can provide a rich playground for malware when it comes to lateral movement and client-to-client infection. In this case, the bug is an integer overflow vulnerability in the SMBv3.1.1 message decompression routine of the kernel driver srv2.sys." So dear Paul Lilly, 'ThreatPost' says "the same *protocol*", namely SMB, *not* the same *version* of that protocol! 'protocol' != 'version' Got it!? :-( And you fsck-ed up the version number, because it's 3.1.1, not 3.11! Other than that, it's a great article! NOT! "Paul Lilly Paul has been playing PC games and raking his knuckles on computer hardware since the Commodore 64." It would have been better if he kept playing games. |
#6
|
|||
|
|||
SMB v3.11 flaw SMBGhost Windows 10 exploit actively exploited (fixed in Win10 v2004)
On 11 Jun 2020 12:32:40 GMT, Frank Slootweg wrote:
In this case, the bug is an integer overflow vulnerability in the SMBv3.1.1 message decompression routine of the kernel driver srv2.sys." UPDATE: o SMBGhost vs SMBleed https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/ "SMBleed affects Windows 10 versions 1903, 1909, and 2004 and the Server Core installations of Windows Server versions 1903, 1909, and 2004; older versions of Windows do not support SMBv3.1.1 compression and are therefore not affected by SMBleed." Thanks Frank for clarifying where you've always been on top of SMB issues over the years (e.g., on how badly non-rooted Android "SMB servers" interact with Windows, which most people aren't apparently aware of). I agree (as I mentioned to Paul) the article I quoted was confusing to me, where I thank you for clarifying for the group what was really going on. I googled backward before I had posted and found only about five posts in the past year with SMB in the SUBJECT line, so I figured it was "new" news, even as it seemed (from the confusing article) to be old bugs repeated. Unfortunately, the public websearchable archives for this newsgroup suck: o https://alt.comp.os.windows-10.narkive.com/ Where I'm aware that you're aware of that, as you gave us this one yourself o http://tinyurl.com/alt-comp-os-windows-10-narkive.com As I recall. 4. SMB v3.11 flaw SMBGhost Windows 10 exploit actively exploited (fixed in Win10 v2004) https://alt.comp.os.windows-10.narkive.com/LvLN0iuh/smb-v3-11-flaw-smbghost-windows-10-exploit-actively-exploited-fixed-in-win10-v2004 3. Can no longer connect to Windows Share (Win7) with older SMB clients https://alt.comp.os.windows-10.narkive.com/aSh13UIt/can-no-longer-connect-to-windows-share-win7-with-older-smb-clients 2. Why would SMB seem to be more reliable than WebDav or FTP or KDEConnect, etc., for Wi-Fi "network connections" between Android & Windows? https://alt.comp.os.windows-10.narkive.com/SGv5ydAv/why-would-smb-seem-to-be-more-reliable-than-webdav-or-ftp-or-kdeconnect-etc-for-wi-fi-network 1. Accessing a Windows 10 SMB share from a Windows 7 PC https://alt.comp.os.windows-10.narkive.com/Qo7gYum5/accessing-a-windows-10-smb-share-from-a-windows-7-pc Searching for more information, Microsoft apparently has this page: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005 "Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests." Which, as you noted, was from March. Which, apparently, described the "seeing double" confusion back then: Microsoft patches wormable Windows 10 SMBGhost flaw https://nakedsecurity.sophos.com/2020/03/16/microsoft-patches-wormable-windows-10-smbghost-flaw/ "Seeing double: To a lot of people, that sounded eerily similar to the wormable SMBv1 vulnerability exploited by the global WannaCry and the NotPetya attacks in 2017" Searching for something current, I found this, dated today: o Old SMBGhost (SMBv3) vulnerability vs New SMBv3 vulnerability https://borncity.com/win/2020/06/11/windows-10-smbleed-vulnearbility-in-smbv3-protocol/ "OLD: The SMBGhost vulnerability (CVE-2020-0796) in the compression mechanism of SMBv3.1.1 was fixed about three months ago." "NEW: When security researchers from Zeop¢s features investigated this SMBGhost vulnerability, they discovered a new vulnerability in Microsoft¢s implementation of the SMBv3 protocol (v3.1.1 compression). The researchers refer to the critical vulnerability CVE-2020-1206 as *SMBleed*." "*SMBleed* is in the same function (Srv2DecompressData function in srv2.sys) as SMBGhost. The bug allows an attacker to read uninitialized kernel memory. The details can be read in the security researchers¢ analysis. RCE attacks may also be possible. https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/ -- Working in unison on Usenet in polite discussion we can all learn together. |
#7
|
|||
|
|||
SMB v3.11 flaw SMBGhost Windows 10 exploit actively exploited (fixed in Win10 v2004)
On Thu, 11 Jun 2020 15:21:04 -0000 (UTC), Arlen Holder wrote:
Unfortunately, the public websearchable archives for this newsgroup suck: o https://alt.comp.os.windows-10.narkive.com/ Where I'm aware that you're aware of that, as you gave us this one yourself o http://tinyurl.com/alt-comp-os-windows-10-narkive.com As I recall. ooops.... wrong group archive urls.... my mistake o http://tinyurl.com/alt-comp-os-windows-10 o http://alt.comp.os.windows-10.narkive.com Where, if I recall correctly, you helped us with the PC Banter site. -- Every thread should add to the value of our permanent Usenet archive. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|