santiago silver - Fotolia

CISA warns Microsoft SMB v3 vulnerability is under attack

CISA issued an alert Friday about attacks on a Microsoft Server Message Block v3 vulnerability and a proof-of-concept code that exploits the flaw in unpatched systems.

The Cybersecurity and Infrastructure Security Agency issued an alert Friday about a critical vulnerability in Microsoft's Server Message Block, which the agency said is under attack.

The Microsoft SMB v3 vulnerability, CVE-2020-0796, was disclosed and patched in March. CISA's alert said a functional proof-of-concept (PoC) code exploits the flaw in systems that haven't been patched.

"Although Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber actors are targeting unpatched systems with the new PoC, according to recent open-source reports," the CISA alert said.

It is unknown which PoC code is currently being used for exploitation, or who the threat actors are that are taking advantage of the SMB vulnerability. Microsoft did not respond to questions about the reported attacks on CVE-2020-0796, but a spokesperson offered the following comment:

"We recommend customers install updates as soon as possible as publicly disclosed vulnerabilities have the potential to be leveraged by bad actors. An update for this vulnerability was released in March, and customers who have installed the updates, or have automatic updates enabled, are already protected," the spokesperson wrote to SearchSecurity in an email.

In addition to their above comment, the Microsoft spokesperson provided two workarounds that protect against attacks: disabling SMB compression and blocking port 445. Detailed guidance can be found here.

The vulnerability itself is a remote code execution vulnerability is present in the way Microsoft's Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. If the vulnerability is successfully exploited, a threat actor could execute code on the targeted system. Rated as critical severity, it has been given a Common Vulnerability Scoring System (CVSS) base score of 10 -- the highest possible.

The SMB vulnerability was accidentally disclosed in March when Cisco Talos published a report on Microsoft's Patch Tuesday, which included information about the flaw and "wormable" attacks that could exploit it. However, CVE-2020-0796 was not included in that month's Patch Tuesday. Microsoft released patches for the vulnerability two days later.

Dig Deeper on Application and platform security