


“INCONTROLLER” / “PIPEDREAM” ICS Toolkit Targeting Energy Sector
This advisory was written by Travis Holland and Eric Dodge of the Kudelski Security Threat Detection & Research Team
Summary
Incontroller/Pipedream is a collection of sophisticated tools thought to be created by group dubbed “Chernovite” by Dragos. Chernovite is assessed to be a a state-sponsored adversary, with the intention for use in future operations. The primary focus for this toolkit is for use in the electric and natural gas verticals; however, it is not limited to solely those. At this time, the CFC has no intelligence that Pipedream has been successfully deployed in the wild at this time. This has provided researchers time to evaluate the tools proactively. This is a suite of utilities designed to allow for access to and manipulation of Schneider Electric and Omron PLCs, as well as Open Platform Communications (OPC) Unified Architecture OPC-UA servers. Dragos, an ICS focused cyber security company, has broken Incontroller/Pipedream into five categories: Evilscholar, Badomen, Mousehole, Dusttunnel and Lazycargo.
- Evilscholar: Provides the capabilities to discover, access and manipulate Schneider Electric PLCs.
- Badomen: Provides the capability to scan, identify and access Omron software and PLCs.
- Mousehole: The tool is designed around interacting and accessing OPC Unified Architecture (UA) servers which allow for enumerating nodeids and brute forcing credentials.
- Dusttunnel: Remote operation implant to establish persistence and command and control.
- Lazycargo: Interface that drops and exploits a known vulnerable ASRock driver to elevate credentials.
When properly used these tools allow for an attacked to scan for devices, brute force passwords, close connections, and even crash the targeted device. PLC implants are utilized to execute untrusted code from the PLCs, these implants could be on an impacted PLC for long durations, requiring firmware forensic analysis to reveal its presence.
The CFC has worked with its ICS-aware Network intrusion Detection System (IDS) partner, Claroty, who has written and published detection signature for PipeDream. All clients of the CFC’s MDR for O.T have had these signatures updated for their Claroty deployments.
Affected Systems
This impacts the following systems typically located in electrical substations and communicating through IEC-104 protocol:
- Systems vulnerable to CVE-2020-15368; ASRock driver exploit
- Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to):
- TM251, TM241, M258, M238, LMC058, and LMC078
- OMRON Sysmac NJ and NX PLCs, including (but may not be limited to):
- NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT
- OPC Unified Architecture (OPC UA) Servers
Technical Details
Incontroller/Pipedream is a sophisticated and modular set of tools that an attacker can leverage once they have established access within an environment. The foothold is established by any vector available to the attacker and is followed up with utilization of the ASRock driver exploit (CVE-2020-15368) to further escalate their privileges, and to move through the environment. The ASRock exploit is rather trivial, and only requires administrative access to further escalate privileges and execute arbitrary code with kernel privileges.
The modular architecture and automation of the tool allows for easy addition of more components as needed (such the ASRock exploit) could easily be swapped in favor of another exploit or tool. Depending on the PLC type there are different actions and objectives that the threat actor would look to achieve.
Capabilities of the tooling per impacted vendor
Schneider Electric Devices:
- Rapidly scan and identify all Schneider PLC’s on other network via UDP multicast over port 27127
- Brute force Schneider PLC passwords via CODESYS over port 1740
- Conduct denial-of-service attacks to prevent network communication to the PLC
- Drop connections, forcing re-authentication to the PLC to gather credentials
- Crash the PLC, for a power cycle and configuration recovery
- Pushing custom Modbus commands/packets
- Retrieving file/directory listings
- Deleting files
- Adding a route if the device gateway IP exists on a different interface
- Connecting to specific devices
Omron devices:
- Scanning for Omron via FINS protocol over port 9600
- Parsing out HTTP response from Omron devices
- Retrieving MAC addresses of devices
- Polling for what devices are connected to the PLC
- Backup and restoration of arbitrary files to or from the PLC
- Loading custom agents on the PLCs to allow for additional capabilities
- Wiping the device’s memory and resetting it
- Activating the Telnet daemon
- Connecting to the device via the Telnet daemon and uploading or executing payloads and commands
- Perform a network capture
- Killing processes on the device
- Transferring files to the device
- Connecting and communicating with attached servo drives
OPC UA:
- Identify OPC UA servers
- Connect to OPC UA servers via default or compromised credentials
- Reading/Writing tag values for data on OPC UA servers
- Brute forcing credentials
- Outputting log files
Currently Known Indicators of Compromise (IOCs)
- sys (RWEverything)
- sys (AsrPolychromeRGB)
- sys (AsrPolychromeRGB)
- exe
Solution/Mitigation
There is currently no evidence of Incontroller/PipeDream being deployed for disruptive or destructive effects. It is known to utilize standard ICS protocols and actions to live off the land natively. Proper monitoring of any suspicious use of the ASRock driver can help mitigate a portion of the toolset seen within Incontroller/PipeDream. It is important to note that utilization of the AsRock Driver exploit requires the attacker to already have administrator level privileges on the host, however, future exploits may have different requirements.
The Cyber Fusion Center recommends the following for mitigation, discovery, and recovery:
- Appropriate network segmentation, and strong perimeter controls
- Leverage Secure Remote Access with Multi Factor Authentication and monitored sessions
- Jump Servers monitored with Endpoint Detection and Response (EDR) technologies
- Active endpoint monitoring on HMIs, Engineering Workstations, and Historians
- Strong password policies and management
- Patch management
- Only allow connection to ICS/SCADA infrastructure through certain engineer workstations
- Disable the Schneider NetManage discovery service
- Monitoring for new outbound connections from PLC’s
Additionally dedicated ICS monitoring can aid in quickly identifying things outside the baseline that could be indicative of movement and attacks within the ICS infrastructure. Examination of non-baseline activity, and restricting access to the following destination ports:
- TCP 502; Modbus
- UDP 27127; primarily used for discovery scanning
- UDP 1740-1743, TCP 1105, and TCP 117470; CODESYS
- TCP/UDP 9600; default communication port for Omron
What the Cyber Fusion Center is doing
While there are currently no known active deployments of this tooling, the Cyber Fusion Center’s O.T Intrusion Detection System (IDS) partner, Claroty, has developed and published network signatures designed to detect the potential presence of this tooling. All clients of the CFC’s MDR For O.T service have had these new detection signatures deployed on their behalf.
Sources

CredManifest: Azure AD Information Disclosure Leading to Privilege Escalation & Free Tool Released
Summary
On November 17th, 2021 Microsoft disclosed the existence of a high severity information disclosure vulnerability impacting Azure Active Directory (Azure AD) that could allow authenticated Azure AD user to escalate their privileges. Azure AD is Microsoft’s Identity and Access Management system used by Azure Cloud and Office 365. The vulnerability, dubbed “CredManifest” (CVE-2021-42306) existed because Azure incorrectly wrote private certificates data in cleartext in Application and Service Principal Manifests. These manifests can be read by any authenticated Azure AD user by default.
Successful exploitation of this vulnerability could have allowed an attacker with access to any account in target’s Azure AD environment to read private certificates from manifests. Attackers could then leverage those certificates to authenticate as the application with the “contributor” role, granting them full access to manage all Azure resources.
Microsoft has since mitigated the vulnerability by restricting access to the “keyCredentials” property in Application and Service Principal manifests as of October 30th, 2021. Restricting access to the property which contains the private certificate data ensures that attackers can no longer access the sensitive data. However, it’s possible that attackers have gathered these credentials prior to Microsoft becoming aware of the issue and thus may still have access to privileged credentials for impacted environments. The Cyber Fusion Center strongly recommends that organizations identify impacted Application registration and Service Principals and rotate those certificates as quickly as possible and investigate Azure AD audit logs for suspicious activity from associated accounts.
For additional details on how to identify impacted App registrations & Service Principals, please review the “solution” section of this advisory.
Affected Azure AD Services
Azure AD Service | Impacted Scenarios |
Azure AD Automation with “Run As” accounts enabled | Any Azure AD automation accounts created with “Run As” accounts generated between 10/15/2020 – 10/15/2021 are impacted.
Automation accounts created with Managed Identities are not impacted. |
Azure Migrate service | Azure Migrate appliances registered prior to 11/02/2021 or registered with auto-update disabled are impacted. |
Azure Site Recovery (ASR) | Users who deployed the preview version of VMware to Azure DR with Azure Site Recovery before 11/01/2021 are impacted. |
Azure AD Applications and Service Principals | Please review the “solution” section of this advisory to identify impacted Azure AD Apps & Service Principals. |
Solution
Microsoft has update Azure software to mitigate and resolve the issue, however certain Application and Service Principal credentials must be rotated to fully remediate the issue. Please follow the guidance listed in this advisory and Microsoft’s remediation guide to identify credentials that must be rotated.
CFC Releases Free Tool to check for impacted Applications & Accounts
The Cyber Fusion Center has also created a free tool to allow organizations to identify impacted Automation “Run-As” accounts, Application Registrations, and Service Principals. The tool allows Azure AD administrators to easily see impacted credentials that need to be rotated. The free tool is available at the following location:
https://credmanifest.kudelskisecurity.com
Once an organizational administrator has granted read-only content to the tool, organizations will be able to see identify impacted Applications:

A listing of applications that are impacted and should have their credentials rotated
Manually Identifying Impacted Applications, Service Principals, and Run-As Accounts
Microsoft has enhanced manifests on impacted objects to return new properties that help identify impacted credentials that must be rotated. Organizations can identify impacted Azure AD Aps and Service Principals by looking a property of “hasExtendedValue” within the “keyCredentials” object being set to true.
Below is an example of an *impacted* credential (notice the hasExtendedValue property set to True):
{ "@odata.context": "https://graph.microsoft.com/beta/$metadata#applications(keyCredentials)/$entity", "keyCredentials": [ { "customKeyIdentifier": "7A28B6653D0319E69D27E74580E7C91D765AF867", "endDateTime": "2021-05-21T03:35:32Z", "keyId": "772faab4-9b59-456e-b73e-baadbfa4b92d", "startDateTime": "2020-05-21T03:15:32Z", "type": "AsymmetricX509Cert", "usage": "Verify", "key": "MIIDKzCC……", "displayName": "CN=MyCert", "hasExtendedValue": True } ] }
Free Microsoft Scripts to identify impacted Applications, Service Principals, and Run-As Accounts.
Additionally, Microsoft has made several scripts and automation tooling available to identify and remediate impacted Azure AD App Registrations and Service Principals here:
https://github.com/microsoft/aad-app-credential-tools
What the Cyber Fusion Center is doing
The Cyber Fusion Center is actively working to develop tooling to help clients identify impacted App registrations and Service Principals. The CFC will engage directly with clients who subscribe to CFC services that required Azure AD App Registrations to support data and alert consumption (such as the CFC’s MDR For Endpoint with Microsoft Defender for Endpoint and MDR for Cloud with Azure / Office 365) to identify if they are impacted, and if necessary, rotate credentials.
The Cyber Fusion Center will engage with clients to directly coordinate the rotation of impacted certificates and credentials and ensure no impact to the delivery of your CFC services. Clients working to mitigate impacted Azure AD App registrations should coordinate with the CFC to ensure we can continue to receive critical data required to deliver your services.
Temporary Workarounds and Mitigations
Microsoft has proactively mitigated the issue by limiting access to private certificate data from manifests. This has prevented attackers from gaining access to private certificates since 10/30/2021. However, impacted credentials must still be rotated to ensure attackers who may have exploited this vulnerability prior to mitigation do not retain privileged access to Azure AD environments.
Organizations who identify impacted App registrations and Service Principals should review Azure AD audit logs for sign of abuse of these credentials as soon as possible.
Sources
- https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/
- https://msrc-blog.microsoft.com/2021/11/17/guidance-for-azure-active-directory-ad-keycredential-property-information-disclosure-in-application-and-service-principal-apis/
- https://github.com/microsoft/aad-app-credential-tools
- https://credmanifest.kudelskisecurity.com

Security Advisory: Kaseya VSA Supply Chain Compromise Used to Execute REvil Ransomware
SUMMARY
On July 2nd, a large-scale supply chain attack operation by the REvil ransomware group affected multiple I.T Managed Service Providers (MSPs) and leveraged the I.T MSP’s Kaseya VSA instances to infect the MSP’s clients. As of this writing the attack campaign has affected 60 I.T MSPs and over 1500 end clients.
The attack was operated by compromising self-hosted Kayseya VSA servers. The threat actors appear to have gained access by abusing authentication bypass and command injection bugs present on the management web UI. Once threat actors gained access to the VSA servers, they quickly locked legitimate users out of the systems and delivered a malicious payload to end user systems the compromised I.T management tool.
The Kudelski Security Cyber Fusion Center and Kudelski Group were not affected as this solution is not leveraged internally nor externally.
Affected Systems
All self-hosted VSA servers. Unfortunately, there is currently no\ patch available, as such it is strongly recommended to keep the servers shutdown.
ATTACK OVERVIEW
Once threat actors used their initial access to VSA servers they locked out administrators and leveraged VSA’s update mechanism to deploy their malware as a base64 encoded “.crt” file. The threat actors then used a powershell command to disable Windows Defender Antivirus, decode the file and save it in the c:\kworking directory of the Kaseya VSA software (which was typically excluded from AV scanning as recommended by Kaseya). Finally, the agent.exe malware dropper is started by the Kaseya agentmon.exe binary, gaining system level privileges.
The malware dropper extracted from the encoded agent.crt file was digitally signed with a valid digital signature using the following information:
• Name: PB03 TRANSPORT LTD.
• Email: [Brouilettebusiness@outlook[.]com]
• SUBJECT: CN=Sectigo RSA Code Signing, CAO=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
• Serial #: 119acead668bad57a48b4f42f294f8f0
• Issuer: https://sectigo[.]com/
Once executed, the dropper writes the following files to the c:\Windows path:
• MsMpEng.exe – a legitimate but very outdated Windows Defender executable
• Mpsvc.dll – the encryptor payload complied as a dynamic link library that is sideloaded by the vulnerable Defender executable
Known associated IOCs (SHA256):
• agent.exe (d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e)
• mpsvc.dll (e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2)
• mpsvc.dll (8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd)
The threat actors appear to have performed initial exploitation activity from the following IP addresses:
• 18.223.199[.]234 (Amazon Web Services)
• 161.35.239[.]148 (Digital Ocean)
• 35.226.94[.]113 (Google Cloud)
• 162.253.124[.]162 (Sapioterra)
CFC Monitoring
Cyber Fusion Center has been actively monitoring this attack campaign and continues to track the situation to keep our clients updated. The CFC will perform threat hunting on the IOCs listed in this advisory and any updated IOCs released in the future.
Additionally, the techniques leveraged by the threat actors in this attack campaign are not unique or novel, several threat actors have leveraged PowerShell cmdlets to disable security solutions in the past and often use the Certutil binary to decode or download malicious files. The CFC is able to actively monitor and response to these techniques leveraging Endpoint Detection and Response (EDR) tooling.
Patching
Kaseya’s R&D team was able to replicate the attack vector and is working on the process of remediating the malicious code and applying necessary patches.
Temporary Mitigations
All Kaseya hosted VSA servers as part of Kaseya’s SaaS solution were put into maintenance mode by Kaseya to prevent further exploitation.
Self-hosted VSA servers should remain shutdown until Kaseya provides a patch for the issue.
References
• https://old.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/
• https://status.kaseya.net/pages/maintenance/5a317d8a2e604604d65c1c76/60df588ba49d1e05371e9d8b
• https://twitter.com/markloman/status/1411035534554808331?s=12
• https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-nowamidst-cascading-revil-attack-against-msps-clients/
• https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689

Microsoft Type 1 Font Parsing Critical 0-Day Remote Code Execution Vulnerabilities
Summary
On March 23rd, 2020 Microsoft publicly disclosed the existence of two critical 0-Day vulnerabilities in all recent versions of the Microsoft Windows operating system. Microsoft is aware of limited targeted attacks that leverage these 0-Day vulnerabilities and has provided guidance on how to temporarily mitigate the exploitation of these unpatched vulnerabilities. Patches for these vulnerabilities are not expected until April’s “Patch Tuesday” release.
The 2 (two) 0-Day Remote Code Execution (RCE) vulnerabilities exist because of the way the Windows Adobe Type Library improperly handles a specially crafted font file in the “Adobe Type 1 PostScript” format. This Adobe Type Library is included by default in all Windows systems and, as such, all recent Microsoft Windows systems are impacted.
Successful exploitation of this vulnerability requires that attackers trick users into either previewing or opening a maliciously crafted document. Exploitation will likely be in the form of a phishing attempt with a malicious document attached. Attackers could also leverage Web Distributed Authoring and Versioning (WebDAV) based HTTP requests to load previews of the maliciously crafted font files in order to exploit these vulnerabilities.
Systems running Windows 10 are still vulnerable to potential exploitation but built-in mitigations make successful exploitation much more difficult. Windows 10 leverages isolated “App Containers” with limited privileges. The use of these isolated “App Containers” significantly increases the difficulty of successfully compromising a system by exploiting these issues but does not prevent exploitation.
For additional details on how Windows 10 mitigates these types of exploits, review Microsoft’s article on Windows 10’s zero-day exploit mitigation features (including mitigating font parsing vulnerabilities).
The Cyber Fusion Center strongly recommends all clients deploy some mitigations to prevent potential exploitation (especially on non-Windows 10 systems). Mitigation options include:
- Disabling the Preview Pane and Details Pane in Windows Explorer
- Disabling the WebClient (for WebDAV) service
- Renaming the impacted Dynamic Linked Library (DLL) file (ATMFD.DLL)
For additional details on how to successfully mitigate these issues, please review the “Temporary Mitigation” section of this advisory.
Affected software
- Windows 10 (All versions)
- Windows 8.1 (All versions)
- Windows 7 (All versions)
- Windows Server 2008 / R2 (All versions)
- Windows Server 2012 / R2 (All versions)
- Windows Server 2016 (All versions)
- Windows Server 2019 (All versions)
Impact
Successful exploitation of these vulnerabilities can provide attackers kernel level privileges on impacted Windows systems. Such access enables attackers take complete control of impacted systems.
Temporary Mitigation & Workarounds
The Cyber Fusion Center strongly recommends all clients deploy some mitigations to prevent potential exploitation (Especially on non-Windows 10 systems). Mitigation options include:
- Disabling the Preview Pane and Details Pane in Windows Explorer
- Disabling the WebClient (for WebDAV) service
- Renaming the impacted DLL file (ATMFD.DLL)
The sections below describe how to apply these temporary workarounds to prevent the exploitation of these 0-Day vulnerabilities.
Disabling the Preview Pane and Details Pane in Windows Explorer (Windows Server 2008 (R2), Windows 7, Windows Server 2012 (R2), and Windows 8.1):
Disabling the Preview and Details panes in Windows Explorer prevents the automatic display of OTF fonts in Windows Explorer. While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability.
To disable these panes, perform the following steps:
- Open Windows Explorer, click Organize, and then click Layout.
- Clear both the Details pane and Preview pane menu options.
- Click Organize, and then click Folder and search options.
- Click the View
- Under Advanced settings, check the Always show icons, never thumbnails box.
- Close all open instances of Windows Explorer for the change to take effect.
Disabling the Preview Pane and Details Pane in Windows Explorer (Windows Server 2016, Windows 10, and Windows Server 2019):
To disable these panes, perform the following steps:
- Open Windows Explorer, click the View
- Clear both the Details pane and Preview pane menu options.
- Click Options, and then click Change folder and search options.
- Click the View
- Under Advanced settings, check the Always show icons, never thumbnails box.
- Close all open instances of Windows Explorer for the change to take effect.
Disabling the WebDAV WebClient Service
Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service.
Note: Even after disabling the WebClient Service, it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs already installed on the targeted computer or programs which are available via local network file shares. However, this mitigation will now prompt users before running arbitrary software from non-local sources (such as the internet).
To disable the WebClient Service, perform the following steps:
- Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
- Right-click WebClient service and select Properties.
- Change the Startup type to Disabled. If the service is running, click Stop.
- Click OK and exit the management application.
Rename the impacted Dynamic Link Library (DLL) ATMFD.DLL on 32-bit systems
- Enter the following commands at an administrative command prompt:
cd "%windir%\system32" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll
- Restart the system
Rename the impacted Dynamic Link Library (DLL) ATMFD.DLL on 64-bit systems
- Enter the following commands at an administrative command prompt:
cd "%windir%\system32" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll cd "%windir%\syswow64" takeown.exe /f atmfd.dll icacls.exe atmfd.dll /save atmfd.dll.acl icacls.exe atmfd.dll /grant Administrators:(F) rename atmfd.dll x-atmfd.dll
- Restart the system.
Disable the Adobe Type Manager Library via registry on Windows 8.1 or below (not recommended)
It’s possible for Windows administrators to disable the Adobe Type Manager Library by modifying the Windows registry on Windows 8.1 and below.
However, disabling the library in this method may impact applications that rely on embedded font technology Disabling ATMFD.DLL could cause certain applications to stop working properly if they use OpenType fonts. For details on how to disable ATMDF via registry changes please review Microsoft’s Security Advisory.
For details on potential impacts of these workarounds, or details on how to roll back these changes, please review Microsoft’s security advisory.
Sources

Security Advisory: Microsoft Server Message Block 3 (SMBv3) Remote Code Execution Vulnerability
Updated on March 12th, 2020: to reflect that Microsoft has now made a patch for the vulnerability available. As such, we’ve updated the advisory reflects updated mitigations.
Summary
On March 10th, a critical Remote Code Execution (RCE) vulnerability in the Microsoft Server Message Block (SMBv3) protocol was inadvertently disclosed. The vulnerability, known as CVE-2020-0796, is caused by how newer Windows operating systems handle certain requests, specifically compressed SMBv3 packets. Microsoft intended to release a patch for this vulnerability as part of March’s “Patch Tuesday”, however, the patch appears to have been pulled at the last minute. This led to the inadvertent disclosure of the issue before a patch is available. The flaw, considered critical, and could allow attackers to execute arbitrary code without user interaction and without authentication.
This critical vulnerability is considered “wormable” as it leads to pre-authenticated remote code execution of the Windows server implementation of SMBv3. To exploit the vulnerability on a Windows machine acting as an “SMB server”, unauthenticated attackers can simply send a maliciously crafted packet to a targeted SMBv3 Server. Once an attacker has successfully compromised one system, they can attempt to automatically exploit other reachable SMB servers. However, to exploit an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
The Windows implementation of the SMB protocol was recently exploited by WannaCry, NotPetya and other recent attacks, enabled by a leak of reliable equation group exploits in 2017. However, Due to the difficulty in successfully and reliably exploiting such vulnerabilities, the Cyber Fusion Center does not expect to see immediate mass exploitation attempts. There are currently no publicly available exploits targeting this vulnerability and there are several Microsoft Windows exploit mitigations that make building a successful and reliable exploit very difficult.
While they are no current public exploits, the Cyber Fusion Center strongly recommends mitigating the vulnerability as soon as possible.
Note: On March 12, 2020, Microsoft released an out-of-band patch for this vulnerability. The Cyber Fusion Center strongly recommends that organizations apply the patch as soon as possible, especially on SMB servers such as Active Directory domain controllers and file shares. If it’s not possible to patch in the very near future, the Cyber Fusion Center recommends disabling compression for the SMBv3 protocol with the commands in the “Temporary Mitigations” section of this advisory.
Affected software
- Microsoft Windows 10 Version 1903 (May 2019 update)
- Microsoft Windows 10 Version 1909 (v1909)
- Microsoft Windows Server Version 1903 (Server Core Installation)
- Microsoft Windows Server Version 1909 (Server Core Installation)
Impact
Attackers who successfully exploit this vulnerability can execute arbitrary code within the context of the SMBv3 process. The vulnerability is considered “wormable” as it allows for pre-authenticated remote code execution without any user interaction.
Mitigation
On March 12th, 2020 (one day after “Patch Tuesday”) Microsoft released out-of-band patches for this severe vulnerability in Window’s implementation of SMBv3 compression. The Cyber Fusion Center strongly recommends organizations apply this patch rather than use the temporary mitigations outlined below.
The patch is available via the traditional Microsoft Update delivery process and on the Microsoft Security Response Centers website.
Temporary Mitigation
While there is no patch for this vulnerability yet, it’s possible to mitigate the issue on SMB servers by disabling support for compression on the SMBv3 protocol.
Windows administrators can disable compression to prevent unauthenticated attackers from exploiting the vulnerability on SMBv3 Servers by using the PowerShell command below.
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
Important Information:
- No reboot Is required after making this change
- This workaround does not prevent exploitation of SMB clients
If necessary, you can rollback this change with the Powershell command bellow:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force
Additional Recommendations
The Cyber Fusion Center also strongly recommends that organizations mitigate the potential of an attack on a Windows 10 client by blocking all outbound SMB (TCP port 445) on corporate firewalls.
Additionally, Microsoft has published guidelines for preventing lateral SMB connections and preventing SMB traffic from entering or leaving the corporate network provides details on how to mitigate this vulnerability and other attackers in the future:
https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections
Sources
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
- https://www.zdnet.com/article/details-about-new-smb-wormable-bug-leak-in-microsoft-patch-tuesday-snafu
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
- https://blog.claroty.com/advisory-new-wormable-vulnerability-in-microsoft-smbv3