A critical vulnerability (CVE-2020-0796) called “EternalDarkness” in the SMB protocol was reported yesterday in Windows systems, specifically Windows 10 and Windows Server. The vulnerability can be prevented on servers with a workaround, but not on private machines. In any case, Microsoft recommends updating systems as soon as updates are available and disabling the workaround. At this time it is not clear when and how the vulnerability will be closed.
The Server Message Block protocol in version 3(SMBv3) contains a vulnerability. The vulnerability is designated by Tenable as “EternalDarkness”. Exact details are not yet known, but it is a pre-authentic remote code execution vulnerability. This means that an attacker can execute arbitrary, potentially malicious code on the system via the SMB protocol without prior authentication. Specifically, this vulnerability means that if a system is accessible by you from the Internet, it is vulnerable. Servers are attacked with a specially crafted package, while computers or clients are attacked with the help of malicious SMBv3 servers. To make matters worse, the vulnerability is “wormable”, meaning it spreads by itself, similar to WannaCry and NotPetya which caused immense damage in spring and summer 2017. Both tools were at that time a supposed result of the ShadowBroker NSA leaks. Fortiguard writes that EternalDarkness is based on a buffer overflow. According to Microsoft, the following systems are currently affected:
- Windows 10 version 1903 for 32-bit systems
- Windows 10 version 1903 for x64-based systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows 10 version 1909 for 32-bit systems
- Windows 10 version 1909 for x64-based systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows Server, version 1909 (Server Core installation)
What can you do?
As an owner of a Windows 10 system, nothing at the moment, except waiting for the patch to be released. For server operators, however, there is a workaround which allows to prevent infection. This workaround works ONLY on Windows Server systems. As owner of a Windows 10 laptop you will not protect your system from EternalDarkness with this workaround. The following information is intended for administrators. Only run these commands if you know what you are doing.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
According to Microsoft, there is no need to “reboot” the system for the workaround to become active. As said, this patch is only for Windows Server systems. Clients are unaffected.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force
No reboot is necessary either.
If you have a perimeter firewall and want to protect your entire network, you should block TCP port 445 to protect the systems behind your firewall. This can prevent attacks from outside the network, for example from the Internet, but does not prevent internal attacks. There is also a guide from Microsoft that will help you prevent SMB traffic from leaving your own network. The Cert Coordination Center also recommends that outgoing SMB connections (TCP port 445 for SMBv3) from the local network to the WAN should be blocked. As an administrator, you may also consider temporarily disabling all traffic on port 445 of your clients.
Why is this vulnerability public?
A previously unnamed security vendor inadvertently released the vulnerability in relation to Microsoft Patch Tuesday. The vendor had taken the blog post offline shortly after, but by this time the information had spread and Microsoft released ADV200005 to provide at least the workaround mentioned above. It is currently not known that this vulnerability is exploited “in the wild”. There is also no proof of concept that shows how to exploit EternalDarkness conceptually.
Registered users of RISKREX will be notified later this morning if any systems are accessible from the Internet that are potentially vulnerable to this attack. We always look for old SMB versions in our pentests, due to vulnerabilities in them and we will add SMBv3 as of now.
The information from this blog post is provided without any guarantee. AWARE7 disclaims all warranties, express or implied, including warranties of merchantability and fitness for a particular purpose. In no event shall AWARE7 or its suppliers be liable for damages of any kind, including direct, indirect, incidental, consequential, lost business profits, or special damages, even if AWARE7 or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the above limitation may not apply.
This post is also available in: Deutsch (German)