Maximum Severity SMBv3 Flaw Identified: Patch Released

Share this article on:

Update 03/12/20: Microsoft has updated its security advisory and has released an out of band update for the flaw for CVE-2020-0796 Windows 10 and Windows Server 1903 / Server 1909: 

A critical flaw has been identified in Windows Server Message Block version 3 (SMBv3) which could potentially be exploited in a WannaCry-style attack. The vulnerability is wormable, which means an attacker could combine it with a worm and compromise all other vulnerable devices on the network from a single infected machine.

This is a pre-auth remote code execution vulnerability in the SMBv3 communication protocol due to an error that occurs when SMBv3 handles maliciously crafted compressed data packets. If exploited, an unauthenticated attacker could execute arbitrary code in the context of the application and take full control of a vulnerable system. The vulnerability can be exploited remotely by sending a specially crafted packet to a targeted SMBv3 server.

The vulnerability, tracked as CVE-2020-0796, affects Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation). It has not yet been confirmed if earlier Windows versions such as Windows 8 and Windows Server 2012 are also vulnerable.

Both Fortinet and Cisco Talos published blog posts summarizing the SMBV3 vulnerability, although Cisco Talos later took down the post. A patch for the flaw was expected to be released by Microsoft on March 2020 Patch Tuesday, but a full fix was not ready in time.

Proof of concept exploits for the flaw have not been published online at the time of writing and there have been no reported cases of exploitation of the vulnerability in the wild; however, Microsoft recommends Windows administrators should take steps to protect against exploitation until a patch is released to correct the flaw.

Workarounds:

  • Disable SMBv3 compression
  • Block TCP port 445 on the network perimeter firewall

Blocking port 445 is the best defense against internet-based attacks, but it will not prevent exploitation from within the enterprise firewall.

SMBv3 compression can be disabled on SMBv3 servers by using the following PowerShell command. No reboot is required after making the change.

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force

Microsoft says disabling SMBv3 compression will not prevent exploitation of SMB clients.

It is essential to apply the patch as soon as it is released by Microsoft. No timescale has been released on when the patch will be made available. Due to the severity of the flaw it is probable that an out-of-band patch will be released.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On