Microsoft SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796) Threat Alert

Microsoft SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796) Threat Alert

March 29, 2020 | Mina Hao

Overview

On March 11, Beijing time, Microsoft released March 2020 updates to fix vulnerabilities among which is a remote code execution vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3) indicated in a security bulletin released earlier. Instead of a security patch, Microsoft currently provides a workaround for users to mitigate this vulnerability.

Vulnerability Description

According to researchers from multiple organizations, this vulnerability is actually the one identified as CVE-2020-0796 and has characteristics of worms. This vulnerability exists in the way the Microsoft SMBv3 protocol handles certain requests. An attacker could exploit this vulnerability in an unauthenticated way.

For the SMBv3 server, attackers could send a crafted packet to the server to trigger this vulnerability; for the SMBv3 client, attackers could trigger this vulnerability by tricking the user into connecting to a maliciously crafted SMB server.

Affected Versions

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

Solution

Microsoft provides a mitigation instead of a security patch to fix this vulnerability. Users are advised to apply the following workaround as soon as possible:

Users can run the following PowerShell command to disable compression on the SMBv3 server:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 –Force

Note: No reboot is needed after making the change. The preceding command is only used to temporarily protect against attacks targeting the SMB server. However, attackers can also exploit this vulnerability to target an SMB client.

Besides, users can disable TCP port 445 for protection. For details, see Microsoft’s security advisory at the following address:

https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic

Reference Links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

https://www.bleepingcomputer.com/news/security/microsoft-leaks-info-on-wormable-windows-smbv3-cve-2020-0796-flaw/

https://nullsec.us/cve-2020-0796/

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.