Skip to main content

Microsoft warns of vulnerabilities in SMBv3 (update: patch released 13 March 2020)

The ACSC is aware of Microsoft’s recent disclosure of a vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol called CVE-2020-0796, also known as EternalDarkness.

Vulnerabilities in earlier versions of Microsoft Server Message Block (SMB) were used by the EternalBlue and EternalRomance exploits, notoriously utilised in the 2017 outbreaks of the WannaCry and NotPetya ransomware. These ransomware attacks were responsible for disrupting the National Health Service in the United Kingdom and crippling transportation, automotive and telecommunications companies in Europe.

Similar to these previous exploits, EternalDarkness is believed to be ‘wormable’, meaning it could be developed having the ability to propagate or ‘worm’ through vulnerable computer systems automatically, requiring no user interaction at all.

The ACSC is currently not aware of any publicly available exploits for the EternalDarkness vulnerability at this time, however it is likely one will be developed in the near future. 

Recommendations

It is important that organisations and individuals operating older versions of Windows systems install Windows’ security vulnerability patch CVE-2020-0796, available at CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability 

The affected version of Windows operating system include:

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

The ACSC recommends always installing manufacturers’ updates as soon as possible.

Further information

Further information about CVE-2020-0796 (EternalDarkness) can be found within Microsoft’s advisory.

Details on this vulnerability will be posted on MITRE’s CVE website.

To report a cybercrime, visit cyber.gov.au/report