Image: Geralt on Pixabay

Details about a new "wormable" vulnerability in the Microsoft Server Message Block (SMB) protocol have accidentally leaked online today during the preamble to Microsoft's regular Patch Tuesday update cycle.

No technical details have been published, but short summaries describing the bug have been posted on the websites of two cyber-security firms, Cisco Talos and Fortinet.

The security flaw, tracked as CVE-2020-0796, is not included with this month's March 2020 Patch Tuesday updates, and it's unclear when it will be patched.

Buffer overflow in SMBv3

According to Fortinet, the bug was described as "a Buffer Overflow Vulnerability in Microsoft SMB Servers" and received a maximum severity rating.

"The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet," Fortinet said. "A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application."

A similar description was also posted -- and later removed -- in a Cisco Talos blog post. The company said that "the exploitation of this vulnerability opens systems up to a 'wormable' attack, which means it would be easy to move from victim to victim."

Warning of a wormable bug impacting SMB stands to send chills down some system administrators' backs. This is because SMB is the same protocol that helped the WannaCry and NotPetya ransomware strains spread globally through a worm-like behavior during the spring and summer of 2017.

No attacks expected right now

However, there is currently no danger to organizations worldwide. Only details about the bug leaked online, not actual exploit code, as it did in 2017.

Although today's leak alerted some bad actors about a major bug's presence in SMBv3, exploitation attempts aren't expected to start anytime soon.

Furthermore, there are also other positives. For example, this new "wormable SMB bug" only impacts SMBv3, the latest version of the protocol, included only with recent versions of Windows.

More specifically, Fortinet only lists Windows 10 v1903, Windows10 v1909, Windows Server v1903, and Windows Server v1909 as impacted by the new CVE-2020-0796 bug.

Unclear how the leak happened

How and why the details about such a critical vulnerability leaked online remains a mystery, at least for now. Microsoft did not return a request for comment before this article's publication.

There are currently two theories about how this might have happened. The first involves the Common Vulnerability Reporting Framework (CVRF) and the Microsoft Active Protections Program (MAPP).

This refers to Microsoft sharing details about upcoming patches with trusted industry partners, such as antivirus makers and hardware vendors.

The theory is that Microsoft might have shared a list of upcoming vulnerabilities, but then removed the bug from the list with little time for some vendors -- like Cisco Talos and Fortinet -- to update their own security advisories.

Microsoft releases early versions of their CVRF to MAPP, and then pulls CVEs at the last minute without telling anyone. When they then fail to publish the public CVRF in a timely manner, it's understandable that mistakes like this will happen. — regnil (@regnil) March 10, 2020

The second is that the info about CVE-2020-0796 was accidentally shared via the Microsoft API, which some antivirus vendors, sysadmins, and reporters scrape for information about Patch Tuesday patches, as soon as they come out.

The theory is that the bug might have been initially scheduled to receive a patch this month, but was later pulled; however, without being removed from the API, and eventually making its way into the Talos and Fortinet advisories.

Most likely a bug that they expected to patch but didn't.



They probably forgot to remove it from the Microsoft API serving Patch Tuesday details, so now every cybersecurity firm scraping that API has listed the bug in its advisories.



The API's down now, btw pic.twitter.com/9wruB0okbz — Catalin Cimpanu (@campuscodi) March 10, 2020

Microsoft did not return a request for comment about when a patch will be delivered for CVE-2020-0796.

Until then, Cisco Talos' now-deleted advice remains the most reliable advice on dealing with any unexpected situations in relation to this bug.

"Users are encouraged to disable SMBv3 compression and block TCP port 445 on firewalls and client computers."

In light of the patching snafu, some security researchers have now started calling the bug SMBGhost, as everyone knows the bug is there, but nobody can see it.

Updated to add that instructions on how to safely/correctly disable SMBv3 compression have been published in a Microsoft security advisory that went live after this article's publication.