Microsoft released the KB4551762 security update to patch the pre-auth RCE Windows 10 vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3), two days after details regarding the flaw were leaked as part of the March 2020 Patch Tuesday.

The KB4551762 security update tracked as CVE-2020-0796 addresses "a network communication protocol issue that provides shared access to files, printers, and serial ports," according to Microsoft.

KB4551762 can be installed by checking for updates via Windows Update or by manually downloading it for your Windows version from the Microsoft Update Catalog.

"While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to your affected devices with priority," Microsoft says.

The vulnerability, dubbed SMBGhost or EternalDarkness, only impacts devices running Windows 10, version 1903 and 1909, and Windows Server Server Core installations, versions 1903 and 1909.

Microsoft explained that the vulnerability only exists in a new feature added to Windows 10 version 1903 and that older versions of Windows do not offer support for SMBv3.1.1 compression, the feature behind this bug.

Confirmed Microsoft pushing KB4551762 OOB security update to affected systems via Windows Update

SMBv3 RCE vulnerability

Microsoft shared details on CVE-2020-0796 only after security vendors part of the Microsoft Active Protections Program who got early access to the flaw's details released information during the March 2020 Patch Tuesday.

At the time, Microsoft published an advisory with more info on the leaked bug and mitigation designed to block potential attacks after news of a wormable pre-auth RCE vulnerability affecting SMBv3 spread.

"Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests," the advisory reads. "An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client."

"To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it."

DoS and LPE proof-of-concepts demoed by researchers

Researchers at cybersecurity firm Kryptos Logic discovered 48,000 Windows 10 hosts vulnerable to attacks targeting the CVE-2020-0796 vulnerability and also shared a demo video of a denial-of-service proof-of-concept exploit created by security researcher Marcus Hutchins.

SophosLabs' Offensive Research team also developed and shared a video demo of a local privilege escalation proof-of-concept exploit that allows attackers with low-level privileges to gain SYSTEM-level privileges.

"The SMB bug appears trivial to identify, even without the presence of a patch to analyze," Kryptos Logic said, with malicious actors probably being also close to developing their own exploits for CVE-2020-0796.

For admins who cannot apply the security update at the moment, Microsoft provides mitigation measures for SMB servers and recommends disabling SMBv3 compression using this PowerShell command (no restart required, doesn't prevent SMB clients' exploitation ):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Enterprise customers are also advised to block the TCP port 445 at the enterprise perimeter firewall to prevent attacks on SMB servers attempting to exploit the flaw.

While malicious scans for vulnerable Windows 10 systems haven't been detected so far, attacks targeting unpatched devices are close seeing that PoC exploits have already been developed and that the bug is easy to analyze.