Microsoft Windows: Old security hole is actively exploited

An almost two-year-old vulnerability in the Microsoft Windows SMB network file system is currently being actively exploited again. The US Cyber Security and Information Security Agency (CISA) is therefore once again issuing a warning for Windows 10 and Windows Server.

Windows 10: Old SMB vulnerability ripped open again

A whopping 15 new vulnerabilities have been added by the Cyber Security and Information Security Agency (CISA) to a new list of active Windows exploits. Among them is the particularly critical CVE-2020-0796 vulnerability, also known by its nicknames SMBGhost or Eternal Darkness.

It first appeared almost two years ago and was rated 10 out of 10 by Microsoft itself – so it is considered particularly dangerous. It affects the network file system SMB in the current version 3.0 of Windows 10 and Windows Server.

Via Remote Code Execution (RCE), the vulnerability allows attackers to actively execute malicious code on affected devices. Building a dangerous computer worm (“wormable”) is also no problem with the vulnerability noted US security firm Tenable back in a post from 2020.

Patch was not applied

The problem: A security patch that fixes the CVE-2020-0796 vulnerability was released by Microsoft back in March 2020, but has not been installed by all users to date. Thus, the vulnerability can still be actively exploited by those affected.

Seven-year-old gap continues to be exploited

In the list published by CISA, additional warnings are issued about other vulnerabilities that are currently being actively exploited. Affected are, among others, Microsoft Office with an RCE vulnerability (CVE-2017-0262), as well as the no longer officially supported SMBv1.

Also problematic is a particularly old vulnerability (CVE-2015-1635) in the Windows component HTTP.sys, which works as a kernel driver. It is already around seven years old and has currently come back into the focus of attackers. The so-called “Apple OS X Heap-Based Buffer Overflow Vulnerability” with the code CVE-2014-4404 is even a year older. CISA does not disclose the source of the information that these vulnerabilities are currently being actively exploited again.