Microsoft leaks info about a new wormable vulnerability (CVE-2020-0796) in the Microsoft Server Message Block (SMB) protocol.
The issue resides in the Server Message Block 3.0 (SMBv3) network communication protocol and it has not been addressed in the March 2020 Patch Tuesday.
The vulnerability is caused by an error in the way SMBv3 handles maliciously crafted compressed data packets, a remote, unauthenticated attacker could exploit the flaw to execute arbitrary code within the context of the application
Remote attackers can gain control of vulnerable systems.
- Systems Affected
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows Server, version 1909 (Server Core installation)
This indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application
As Microsoft haven’t released a security patch for this vulnerability,
- Cisco Talos shared that,
Disabling SMBv3 compression and blocking the 445 TCP port on client computers and firewalls should block attacks attempting to exploit the flaw.
- Microsoft published a security advisory with details on how to disable SMBv3 compression to protect servers against exploitation attempts,
To disable compression on SMBv3 servers with this PowerShell command (no reboot required, does not prevent the exploitation of SMB clients)
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
To Protect your network,
- Block TCP port 445 at the enterprise perimeter firewall
Blocking TCP port 445 port at the network perimeter firewall will help to protect systems that are behind that firewall from attempts that come from outside to exploit this vulnerability. (Still vulnerable for attacks that comes from inside the organization)
The information provided herein is on “as is” basis, without warranty of any kind.