Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Critical SMBv3 Vulnerability: Remote Code Execution SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical SMBv3 Vulnerability: Remote Code Execution

[Update March 12, 2020]

Microsoft released patches for the affected systems: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

--

SMB has already been a targeted protocol several times and it came back today in stage with a new CVE: CVE-2020-0796. This time, version 3 of the protocol is affected by a remote code execution vulnerability. The SMB protocol was enhanced multiple times by Microsoft and more features were added. The one that is targeted today seems to be the data compression. At this time, Microsoft did not release information and no patch is available. What do we know?

Affected Windows versions:

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

The victim's computer can be compromised by exposing a vulnerable SMBv3 resource in the wild but a client might be affected just by visiting a malicious SMBv3 server. Both clients and servers are affected!

How to protect your resources?

  • Microsoft published a workaround[1] via Powershell (see below)
  • Restrict SMB traffic to the strict minimum
    • Do not expose servers in the wild, restrict access to them
    • Do not allow SMB traffic to the outside world. We can guess that malicious emails and malware will include "smb://" URLs soon.

The Powershell workaround is:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force`

We will continue to update this diary based on the information collected. 

[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Xme

515 Posts
ISC Handler
Thank you!
Anonymous

Sign Up for Free or Log In to start participating in the conversation!