Critical Microsoft vulnerability from 2020 added to list of exploited flaws

A high-severity remote code execution vulnerability affecting some versions of Microsoft Windows Server and Windows 10 has been added to CISA’s Known Exploited Vulnerabilities Catalog.

It’s among 15 flaws that have been added to the catalog of exploited vulnerabilities by the federal Cybersecurity and Infrastructure Security Agency (CISA) as of today.

The Microsoft Windows remote code execution flaw (CVE-2020-0796) was initially disclosed in March 2020 and carries the highest possible severity rating — 10.0 out of 10.0. The vulnerability was widely publicized at the time of its disclosure, and has been referred to in the past by names including “EternalDarkness” and “SMBGhost.”

While it’s not clear what specifically led to the addition of the vulnerability to CISA catalog now, the new inclusion should serve as a reminder to any organizations with remaining vulnerable systems to utilize available patches. VentureBeat has reached out to CISA to confirm that this is the first time the vulnerability is known to have been exploited.

Notably, however, the deadline set by CISA for federal agencies to remediate CVE-2020-0796 is a full six months away — August 10, 2022.

“Certainly, intelligence on what exploits are active matter,” said John Bambenek, principal threat hunter at digital IT and security operations firm Netenrich, in an email to VentureBeat. “However, when you can wait until August to patch, say, Eternal Darkness, it’s hard to see any real urgency.”

The Microsoft remote code execution (RCE) vulnerability is the most severe flaw among the newly added vulnerabilities, though two others carry a severity rating of 9.8 out of 10.0. Those are a code execution vulnerability that affects some versions of Jenkins (CVE-2018-1000861) and an improper input validation vulnerability in some versions of Apache ActiveMQ (CVE-2016-3088).

The additions to the CISA catalog are “based on evidence that threat actors are actively exploiting the vulnerabilities,” CISA says on its disclosure page.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,” CISA says. By including the vulnerabilities in its Known Exploited Vulnerabilities Catalog, CISA directed federal agencies to update their systems with available patches.

All of the newly added vulnerabilities have a remediation due date of August 10, with one exception. A Microsoft Windows local privilege escalation vulnerability (CVE-2021-36934) has a deadline of February 24. The flaw has a severity rating of 7.8.

Remote code execution

For CVE-2020-0796, the Windows RCE vulnerability “exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests,” Microsoft says on its disclosure page.

“An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client,” the company said.

“To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server,” Microsoft said. “To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.”

The patch addressing the vulnerability corrects how the SMBv3 protocol handles such requests, according to the company.

Versions of Microsoft Windows affected by the CVE-2020-0796 RCE vulnerability are:

Windows Server

• Version 1903 (Server Core Installation)
• Version 1909 (Server Core Installation)

Windows 10

• Version 1903 for 32-bit Systems
• Version 1903 for ARM64-based Systems
• Version 1903 for x64-based Systems
• Version 1909 for 32-bit Systems
• Version 1909 for ARM64-based Systems
• Version 1909 for x64-based Systems

In an analysis posted in March 2020, VMware researchers said that in addition to enabling an unauthenticated user to execute code remotely by sending a “specially crafted” packet to a vulnerable SMBv3 Server, “if an attacker could convince or trick a user into connecting to a malicious SMBv3 Server, then the user’s SMB3 client could also be exploited.”

“Regardless if the target or host is successfully exploited, this would grant the attacker the ability to execute arbitrary code,” VMware said.

‘Wormable’ flaw

In a blog in March 2020, Tenable’s Satnam Narang pointed out that the vulnerability has been characterized as “wormable.”

The vulnerability “evokes memories of EternalBlue, most notably CVE-2017-0144, an RCE vulnerability in Microsoft SMBv1 that was used as part of the WannaCry ransomware attacks,” Narang said. “It’s certainly an apt comparison, so much so that researchers are referring to it as EternalDarkness.”

Other newly added vulnerabilities to CISA’s Known Exploited Vulnerabilities Catalog include additional flaws in Microsoft products and two flaws in Apple software.

“Kudos to CISA for keeping security professionals focused on severe vulnerabilities known to be exploited,” said Bud Broomhead, CEO at enterprise IoT security vendor Viakoo, in an email to VentureBeat. “With many security teams being overworked and overwhelmed, the clarity from CISA on what deserves their priority and attention is of tremendous value.”

In terms of the timing of when a vulnerability is detected — versus when it is added to the CISA catalog — “it comes down to when the determination is made that the vulnerability is actually being exploited,” Broomhead said. “With close to 170,000 known vulnerabilities, priority should be given to the ones that are causing real damage right now, not ones that in theory could cause damage.”

Here is the full list of the 15 newly added vulnerabilities to CISA’s catalog:

• CVE-2021-36934: Microsoft Windows SAM Local Privilege Escalation Vulnerability
• CVE-2020-0796: Microsoft SMBv3 Remote Code Execution Vulnerability
• CVE-2018-1000861: Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability
• CVE-2017-9791: Apache Struts 1 Improper Input Validation Vulnerability
• CVE-2017-8464: Microsoft Windows Shell (.lnk) Remote Code Execution Vulnerability
• CVE-2017-10271: Oracle Corporation WebLogic Server Remote Code Execution Vulnerability
• CVE-2017-0263: Microsoft Win32k Privilege Escalation Vulnerability
• CVE-2017-0262: Microsoft Office Remote Code Execution Vulnerability
• CVE-2017-0145: Microsoft SMBv1 Remote Code Execution Vulnerability
• CVE-2017-0144: Microsoft SMBv1 Remote Code Execution Vulnerability
• CVE-2016-3088: Apache ActiveMQ Improper Input Validation Vulnerability
• CVE-2015-2051: D-Link DIR-645 Router Remote Code Execution
• CVE-2015-1635: Microsoft HTTP.sys Remote Code Execution Vulnerability
• CVE-2015-1130: Apple OS X Authentication Bypass Vulnerability
• CVE-2014-4404: Apple OS X Heap-Based Buffer Overflow Vulnerability