SMB v3.11 flaw SMBGhost Windows 10 exploit actively exploited (fixed in Win10 v2004)

Eternal Darkness flaw in Windows 10 sounds scary as hell, best to patch it now
https://www.pcgamer.com/eternal-darkness-flaw-in-windows-10-sounds-scary-as-hell-best-to-patch-it-now/

"Eternal Darkness/SMBGhost affects version 3.11 of the protocol, which as
ThreatPost points out, is the same version that was targeted by the
WannaCry ransomware a couple of years ago. And like WannaCry, it has the
ability to 'worm' its way through a network to quickly infect multiple
PCs."
--
"You could also apply the May 2020 Update for Windows 10 (version 2004) if
you have been putting that off, as this does not affect the latest
release."

Arlen Holder wrote:
Eternal Darkness flaw in Windows 10 sounds scary as hell, best to patch it now
https://www.pcgamer.com/eternal-darkness-flaw-in-windows-10-sounds-scary-as-hell-best-to-patch-it-now/

"Eternal Darkness/SMBGhost affects version 3.11 of the protocol, which as
ThreatPost points out, is the same version that was targeted by the
WannaCry ransomware a couple of years ago. And like WannaCry, it has the
ability to 'worm' its way through a network to quickly infect multiple
PCs."

"Microsoft explains that "the vulnerability exists in a new feature
that was added to Windows 10 version 1903" and that "older versions
of Windows do not support SMBv3.1.1 compression."
"

Added for the benefit of Windows 7 owners (who might have been
searching for a patch for it).

Paul

On Wed, 10 Jun 2020 15:15:34 -0400, Paul wrote:

"Microsoft explains that "the vulnerability exists in a new feature
that was added to Windows 10 version 1903" and that "older versions
of Windows do not support SMBv3.1.1 compression."

Hi Paul,
I was confused as to whether Microsoft "re-introduced" this bug, much like
Apple is wont to do...

Did Microsoft know about this... then patch it... and then, later,
re-introduce it?
--
If so, that's really bad QA.

Arlen Holder wrote:
On Wed, 10 Jun 2020 15:15:34 -0400, Paul wrote:

"Microsoft explains that "the vulnerability exists in a new feature
that was added to Windows 10 version 1903" and that "older versions
of Windows do not support SMBv3.1.1 compression."

Hi Paul,
I was confused as to whether Microsoft "re-introduced" this bug, much like
Apple is wont to do...

Did Microsoft know about this... then patch it... and then, later,
re-introduce it?

A patch for a CVE can be delivered multiple times.

Maybe a first patch, just disables an errant feature, until
a real patch can be put together. Then a later delivery
(with a bumped sub-version number), removes the temporary
patch and fits a proper patch.

Or, if the original patch didn't really fix a problem,
the patch could come back later.

I don't really track these, because there's a good chance
if this gets inside my computer room, it's a "wipeout".
What I don't do, is expose SMB on my Internet connection
(computer not connected directly to broadband modem).

To patch the variety of OSes running here at any one time
would be a chore, and probably not something I would
"do with much style". It would be about as much fun
and excitement, as stamp collecting.

I did one patch here, of that variety, and I had to back
it out, because it broke functionality. And other people
weren't seeing the same symptoms either. What do you
do then ?

Paul

Arlen Holder wrote:
Eternal Darkness flaw in Windows 10 sounds scary as hell, best to patch it now
https://www.pcgamer.com/eternal-darkness-flaw-in-windows-10-sounds-scary-as-hell-best-to-patch-it-now/

"Eternal Darkness/SMBGhost affects version 3.11 of the protocol, which as
ThreatPost points out, is the same version that was targeted by the
WannaCry ransomware a couple of years ago. And like WannaCry, it has the
ability to 'worm' its way through a network to quickly infect multiple
PCs."

Sigh! The 'Paul Lilly' character who wrote this, can't read, because
'ThreatPost' does *not* 'point out' what Paul Lilly claims he points
out!

For those with even a tad of knowledge in this area, it would be
obvious that 'ThreatPost' would be unlikely to have said that, because
WannaCry did not target SMB version 3.11 [sic], but version 1!

So what *did* 'ThreatPost' *actually* say in his post which Paul Lilly
points to?:

'SMBGhost RCE Exploit Threatens Corporate Networks'
https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391

"Microsoft patched the bug tracked as CVE-2020-0796 back in March; also
known as SMBGhost or CoronaBlue, it affects Windows 10 and Windows
Server 2019. It exists in version 3.1.1 of the Microsoft Server Message
Block (SMB) protocol the same protocol that was targeted by the
infamous WannaCry ransomware in 2017. SMB is a file-sharing system that
allows multiple clients to access shared folders, and can provide a
rich playground for malware when it comes to lateral movement and
client-to-client infection.

In this case, the bug is an integer overflow vulnerability in the
SMBv3.1.1 message decompression routine of the kernel driver srv2.sys."

So dear Paul Lilly, 'ThreatPost' says "the same *protocol*", namely
SMB, *not* the same *version* of that protocol! 'protocol' != 'version'
Got it!? :-(

And you fsck-ed up the version number, because it's 3.1.1, not 3.11!
Other than that, it's a great article! NOT!

"Paul Lilly

Paul has been playing PC games and raking his knuckles on computer
hardware since the Commodore 64."

It would have been better if he kept playing games.

On 11 Jun 2020 12:32:40 GMT, Frank Slootweg wrote:

In this case, the bug is an integer overflow vulnerability in the
SMBv3.1.1 message decompression routine of the kernel driver srv2.sys."

UPDATE:
o SMBGhost vs SMBleed
https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/
"SMBleed affects Windows 10 versions 1903, 1909, and 2004 and the
Server Core installations of Windows Server versions 1903, 1909,
and 2004; older versions of Windows do not support SMBv3.1.1
compression and are therefore not affected by SMBleed."

Thanks Frank for clarifying where you've always been on top of SMB issues
over the years (e.g., on how badly non-rooted Android "SMB servers"
interact with Windows, which most people aren't apparently aware of).

I agree (as I mentioned to Paul) the article I quoted was confusing to me,
where I thank you for clarifying for the group what was really going on.

I googled backward before I had posted and found only about five posts in
the past year with SMB in the SUBJECT line, so I figured it was "new" news,
even as it seemed (from the confusing article) to be old bugs repeated.

Unfortunately, the public websearchable archives for this newsgroup suck:
o https://alt.comp.os.windows-10.narkive.com/
Where I'm aware that you're aware of that, as you gave us this one yourself
o http://tinyurl.com/alt-comp-os-windows-10-narkive.com
As I recall.

4. SMB v3.11 flaw SMBGhost Windows 10 exploit actively exploited (fixed in Win10 v2004)
https://alt.comp.os.windows-10.narkive.com/LvLN0iuh/smb-v3-11-flaw-smbghost-windows-10-exploit-actively-exploited-fixed-in-win10-v2004

3. Can no longer connect to Windows Share (Win7) with older SMB clients
https://alt.comp.os.windows-10.narkive.com/aSh13UIt/can-no-longer-connect-to-windows-share-win7-with-older-smb-clients

2. Why would SMB seem to be more reliable than WebDav or FTP or KDEConnect, etc., for Wi-Fi "network connections" between Android & Windows?
https://alt.comp.os.windows-10.narkive.com/SGv5ydAv/why-would-smb-seem-to-be-more-reliable-than-webdav-or-ftp-or-kdeconnect-etc-for-wi-fi-network

1. Accessing a Windows 10 SMB share from a Windows 7 PC
https://alt.comp.os.windows-10.narkive.com/Qo7gYum5/accessing-a-windows-10-smb-share-from-a-windows-7-pc

Searching for more information, Microsoft apparently has this page:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005
"Microsoft is aware of a remote code execution vulnerability
in the way that the Microsoft Server Message Block 3.1.1
(SMBv3) protocol handles certain requests."
Which, as you noted, was from March.

Which, apparently, described the "seeing double" confusion back then:
Microsoft patches wormable Windows 10 SMBGhost flaw
https://nakedsecurity.sophos.com/2020/03/16/microsoft-patches-wormable-windows-10-smbghost-flaw/
"Seeing double: To a lot of people, that sounded eerily similar
to the wormable SMBv1 vulnerability exploited by the global
WannaCry and the NotPetya attacks in 2017"

Searching for something current, I found this, dated today:
o Old SMBGhost (SMBv3) vulnerability vs New SMBv3 vulnerability
https://borncity.com/win/2020/06/11/windows-10-smbleed-vulnearbility-in-smbv3-protocol/
"OLD: The SMBGhost vulnerability (CVE-2020-0796) in the compression
mechanism of SMBv3.1.1 was fixed about three months ago."
"NEW: When security researchers from Zeop¢s features investigated this
SMBGhost vulnerability, they discovered a new vulnerability in
Microsoft¢s implementation of the SMBv3 protocol (v3.1.1 compression).
The researchers refer to the critical vulnerability CVE-2020-1206 as
*SMBleed*."

"*SMBleed* is in the same function (Srv2DecompressData function in
srv2.sys) as SMBGhost. The bug allows an attacker to read uninitialized
kernel memory. The details can be read in the security researchers¢
analysis. RCE attacks may also be possible.
https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/
--
Working in unison on Usenet in polite discussion we can all learn together.

On Thu, 11 Jun 2020 15:21:04 -0000 (UTC), Arlen Holder wrote:

Unfortunately, the public websearchable archives for this newsgroup suck:
o https://alt.comp.os.windows-10.narkive.com/
Where I'm aware that you're aware of that, as you gave us this one yourself
o http://tinyurl.com/alt-comp-os-windows-10-narkive.com
As I recall.

ooops.... wrong group archive urls.... my mistake
o http://tinyurl.com/alt-comp-os-windows-10
o http://alt.comp.os.windows-10.narkive.com

Where, if I recall correctly, you helped us with the PC Banter site.
--
Every thread should add to the value of our permanent Usenet archive.