Microsoft Windows Task Scheduler Vulnerability Revealed by SandboxEscaper
Last updated September 23, 2021
Although Microsoft has pushed its biggest-ever security patch yesterday, there’s one flaw that was left out and got accidentally published by the tech giant on March 10. Carrying the identifier “CVE-2020-0796”, this is a critical flaw in the SMBv3 (Server Message Block 3.1.1) network communications protocol. Microsoft has disclosed the flaw by mistake through the “Active Protections Program,” which is meant to link the company with various security vendors. While they retracted the technical information right after it was published, people took note of the bug and figured that it’s a pretty nasty one.
The particular vulnerability enables a malicious actor to launch a remote code execution (RCE) attack by using a specially-crafted packet and sending it to the target SMBv3 server. The only prerequisite for this would be to connect to the target server first. The execution can take place on either the server or the SMB client, and, unfortunately, it’s a wormable flaw. Microsoft understands the criticality of the vulnerability and will fix it as quickly as possible, but right now, there’s no patch to plug the flaw. The vulnerable systems are the following:
Windows versions older than 10 v1903 are not affected by this vulnerability, as support for SMBv3.1.1 compression was added recently. There have been no confirmed cases of exploiting CVE-2020-0796 in the wild. However, with Microsoft having published the technical details about the flaw two days ago, it is only a matter of time before seeing it used for malicious purposes. If you are the administrator of an SMB server, you should use the following PowerShell command to block any attacks:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 –Force
In addition, SMB clients should block TCP port 445 at the enterprise perimeter firewall, exactly as they did with WannaCry. This won’t protect systems from attacks that stem from within the enterprise perimeter, so keep that in mind. Of course, everyone is advised to apply the fixing patches as soon as Microsoft releases them, and this shouldn't take too long now.