115 vulnerabilities were patched in March 2020 Patch Tuesday, with 24 of these classified as critical, 88 as important, and 3 as moderate. However, one particular vulnerability stands out.
CVE-2020-0796: A Ghost Vulnerability?
Microsoft leaked information about CVE-2020-0796, a wormable pre-auth remote code execution flaw in the Server Message Block 3.0 (SMBv3) network communication protocol. The vulnerability should have been disclosed as part of March 2020 Patch Tuesday. It is curious that Microsoft didn’t publish an advisory about CVE-2020-0796.
However, several security vendors that are part of Microsoft Active Protections Program, like Fortinet and Cisco Talos, received early information about the flaw, and released details about it.
It is known that the vulnerability is stemming from an error that happens when the SMBv3 handles maliciously compressed data packets. The flaw could allow remote, unauthenticated attackers to execute arbitrary code within the context of the application.
According to Cisco Talos, an attacker could exploit the vulnerability by sending a specially crafted packet to the target SMBv3 server, to which the target needs to be connected. The exploitation of the flaw creates a wormable attack. It is highly suspicious that Cisco Talos has since removed their report, and it’s no longer available online.
Fortinet’s report is still online, and it says that “this indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers.” In terms of impact remote attackers can gain control of vulnerable systems.
Microsoft has been quite secretive in regards of CVE-2020-0796, and security researchers are starting to worry that the bug could be as severe as EternalBlue, NotPetya, WannaCry, and MS17-010.
MalwareHunterTeam suggested the name SMBGhost for it, and others have called it DeepBlue3, Redmond Drift, CoronaBlue, NexteternalBlue.
March 2020 Patch Tuesday: What’s Been Patched?
As already mentioned, a total of 115 vulnerabilities were addressed, with 24 of these classified as critical, 88 as important, and 3 as moderate.
Some of the critical vulnerabilities are CVE-2020-0824, an Internet Explorer memory corruption flaw; CVE-2020-0768, a Scripting Engine memory corruption flaw; CVE-2020-0905, a Dynamics Business Central RCE flaw; CVE-2020-0816, a Microsoft Edge memory corruption flaw; two GDI+ RCE flaws (CVE-2020-0881 and CVE-2020-0883); CVE-2020-0852, a Microsoft Word RCE, etc.
Here’s the full report containing details of all 115 flaws fixed in this month’s Patch Tuesday.