Wormable vulnerability in SMBv3 (CVE-2020-0796)

Microsoft leaks info about a new wormable vulnerability (CVE-2020-0796) in the Microsoft Server Message Block (SMB) protocol.

 

  • Overview

The issue resides in the Server Message Block 3.0 (SMBv3) network communication protocol and it has not been addressed in the March 2020 Patch Tuesday.

The vulnerability is caused by an error in the way SMBv3 handles maliciously crafted compressed data packets, a remote, unauthenticated attacker could exploit the flaw to execute arbitrary code within the context of the application

 

  • Impact

Remote attackers can gain control of vulnerable systems.

  • Systems Affected

 

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows Server, version 1909 (Server Core installation)
  • Description

This indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers. The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application

  • Recommendation

As Microsoft haven’t released a security patch for this vulnerability,

  • Cisco Talos shared that,

Disabling SMBv3 compression and blocking the 445 TCP port on client computers and firewalls should block attacks attempting to exploit the flaw.

  • Microsoft published a security advisory with details on how to disable SMBv3 compression to protect servers against exploitation attempts,

To disable compression on SMBv3 servers with this PowerShell command (no reboot required, does not prevent the exploitation of SMB clients)

Set-ItemProperty -Path «HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters» DisableCompression -Type DWORD -Value 1 -Force

To Protect your network,

  1. Block TCP port 445 at the enterprise perimeter firewall

Blocking TCP port 445 port at the network perimeter firewall will help to protect systems that are behind that firewall from attempts that come from outside to exploit this vulnerability. (Still vulnerable for attacks that comes from inside the organization)

  1. Preventing SMB traffic from lateral connections and entering or leaving the network

References

  1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
  2. https://fortiguard.com/encyclopedia/ips/48773
  3. https://www.bleepingcomputer.com/news/security/microsoft-leaks-info-on-wormable-windows-smbv3-cve-2020-0796-flaw/
  4. https://cc.bingj.com/cache.aspx?q=https%3a%2f%2fblog.talosintelligence.com%2f2020%2f03%2fmicrosoft-patch-tuesday-march-2020.html&w=NrvF66m3pULMCOMEBw-cKyRUwi9s1qXv&d=928684983196

Disclaimer

The information provided herein is on «as is» basis, without warranty of any kind.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.