If you haven't patched your Windows systems since March 10, better do so now, warns the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.
That's because new proof-of-concept code was released last week that exploits a flaw -- known as SMBGhost or, um, Eternal Darkness -- in the Server Message Block (SMB) protocol that Microsoft patched March 12, two days after its regular March Patch Tuesday round.
- The best antivirus protection for your Windows PC
- Check out the best password managers
- Latest: Nvidia GeForce RTX 3080 design leaked — bad news
The flaw affects Windows 10 builds 1903 and 1909, but older or newer versions of Windows 10 are not vulnerable. A truly successful exploit of SMBGhost would create an unrestricted "worm" that could spread through the internet on its own, similar to the WannaCry ransomware worm of 2017.
"Malicious cyber actors are targeting unpatched systems with the new PoC [proof-of-concept], according to recent open-source reports," the CISA advisory (opens in new tab), released June 5, warns. "CISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible."
This isn't the first proof-of-concept to exploit the SMBGhost flaw (opens in new tab), and it doesn't even work that well yet. But it permits fairly consistent remote code execution, i.e., hacking over the internet, which puts it one step closer to a worldwide worm.
"This has not been tested outside of my lab environment. It was written quickly and needs some work to be more reliable," wrote the proof-of-concept's developer, who calls herself Chompie (opens in new tab), in a GitHub posting (opens in new tab). "Using this for any purpose other than self-education is an extremely bad idea. Your computer will burst in flames. Puppies will die."
Chompie provided a video (opens in new tab) demonstrating the exploit, in which a Mac uses it to hack a PC.
This was a pain 😂. But I was able to achieve RCE with CVE 2020-0796 #SMBGhost. pic.twitter.com/mvQ0YQt9GTJune 1, 2020
Will Dormann (opens in new tab), a vulnerability analyst at the Pentagon-funded CERT Coordination Center at Carnegie Mellon University in Pittsburgh, said that Chompie's exploit code was "not completely reliable, but ... does indeed work!"
Not completely reliable, but this CVE-2020-0796 PoC does indeed work! https://t.co/0ZX2biA4kO pic.twitter.com/RNu39PuirKJune 5, 2020
The very fact that even partly working network-jumping exploits of SMBGhost are out there -- and that bad guys may be using it, per CISA -- means that any Windows 10 1903 or 1909 build that hasn't installed the March patch is vulnerable to attack from the internet.
The solution, obviously, is to install the stand-alone patch that Microsoft issued March 12. You could also just upgrade to Windows 10 build 2004, which is being rolled out to PCs now. And, if you can, set your firewall to externally block port 445. (We've got instructions here.)
In theory, you ought to install all Microsoft security patches as soon as they are issued. But that often creates its own set of problems, especially for enterprises with dozens or hundreds of PCs being patched at once.