Monthly Archives: March 2020

CVE-2020-0796 – New Critical SMB V3 Vulnerability. Time to Panic?

22 March 2020

On March 12, 2020 Microsoft published a CVSS V3.1 severity 10 vulnerability in the SMBv3 protocol. CVE-2020-0796 (1), also called CoronaBlue, impacts the Windows 10 client and server versions 1903 and 1909.

The bad news first. CoronaBlue is like Eternalblue/WannaCry a wormable remote code execution vulnerability. A single Windows 10 system with SMBv3 protocol installed and port 445 open to the internet is enough for infiltration of a network.

The good news is that only few systems with Windows 10 version 1903 or 1909 have port 445 exposed to the internet. Theses Windows versions are just too new.

Nevertheless, immediate patching is required because a proof of concept exploit code was published on March 14, 2020.

In addition, Microsoft recommends deactivating SMBv3 compression unless the patches are installed and activated (2).

But the most important advice Microsoft gives is:

Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks.

This advice holds for all SMB versions. There is no need to access Windows systems through the SMB protocol from the internet. Therefore, this protocol should be blocked by the internet facing firewall of DMZs. No exceptions! Apparently, some thousand CISOs do not care:

Windows systems with SMB ports open to the internet.

Windows systems with SMB ports open to the internet.

Have a great week. And check your firewall rules!


References

  1. NIST NVD. NVD – CVE-2020-0796 [Internet]. NIST Information Technology Laboratory. 2020 [cited 2020 Mar 22]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2020-0796
  2. MSRC. CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability [Internet]. Microsoft Security. [cited 2020 Mar 22]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

Microsoft previews Microsoft Defender ATP for Linux – No reason to celebrate!

7 March 2020

At the Ignite 2019 Microsoft announced that “Defender ATP is coming to Linux in 2020” (1). The preview version is available since the end of February (2).

To be clear, I think Microsoft Defender ATP is a good product. It benefits from millions of sensors installed on consumer and company computers. And, with the entire Defender suite installed, companies can gain a good security level.

COVID-19 Virus ultrastructural morphology

COVID-19 Virus ultrastructural morphology. Picture by CDC/ Alissa Eckert, MS; Dan Higgins, MAMS

Just to recap on why we need anti-malware products: We live in an operating system monoculture. Windows is everywhere, on the clients, on the servers, in the cloud. All windows systems are networked for reasons of efficiency. The drawback of all mononcultures is that they are vulnerable against diseases. Covid-19 is a current example in the real world, WannaCry and NotPetya are well known examples in cyber space.

Microsoft loves Linux, and starts implanting genes from the Windows DNA into the Linux DNA; the .Net framework, PowerShell, Windows Defender ATP. Since the cost pressure in IT is high, companies will start using this products.

Good for the EBIT, bad for cyber security. PowerShell for example is often used in malware attacks (3). It’s merely a matter of time before cyber attackers start leveraging PowerShell on Linux. Living off the Land attacks will work on Linux and Windows, in the worst case with no changes to the code. With that, Linux is getting vulnerable against attacks that were so far only known from Windows.

Especially for operators of critical infrastructures is a clear strategy for operating Microsoft products on Linux required to keep the risk from this cross-over at an acceptable level.

For advice in securing PowerShell see publication “Securing PowerShell in the Enterprise” of the Australian Cyber Security Center (4).

Have a great weekend!


References

  1. Tung L. Microsoft: Defender ATP is coming to Linux in 2020 [Internet]. ZDNet. 2019 [cited 2020 Mar 7]. Available from: https://www.zdnet.com/article/microsoft-defender-atp-is-coming-to-linux-in-2020/
  2. Vaughan-Nichols SJ. Microsoft previews Microsoft Defender ATP for Linux [Internet]. ZDNet. 2020 [cited 2020 Mar 7]. Available from: https://www.zdnet.com/article/microsoft-previews-microsoft-defender-atp-for-linux/
  3. Help Net Security. 91% of critical incidents involve known, legitimate binaries like PowerShell [Internet]. Help Net Security. 2018 [cited 2020 Mar 6]. Available from: https://www.helpnetsecurity.com/2018/06/28/incidents-legitimate-binaries/
  4. Australian Cyber Security Center. Securing PowerShell in the Enterprise | Cyber.gov.au [Internet]. Australian Signals Directorate. 2019 [cited 2020 Mar 6]. Available from: https://www.cyber.gov.au/publications/securing-powershell-in-the-enterprise