Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Summary:

Earlier this week, details of an unpatched vulnerability were accidentally published highlighting an RCE flaw in SMBv3. Identified as CVE-2020-0796, the critical severity vulnerability resides in Microsoft’s SMB 3.1.1 (v3) protocol and affects the following Microsoft versions:

  • Windows Server
    • Version 1903 (Server Core Installation)
    • Version 1909 (Server Core Installation)
  • Windows 10
    • Version 1903 for 32-bit Systems
    • Version 1903 for ARM64-based Systems
    • Version 1903 for x64-based Systems
    • Version 1909 for 32-bit Systems
    • Version 1909 for ARM64-based Systems
    • Version 1909 for x64-based Systems

Microsoft quickly released a security advisory after the blunder and have since issued an out-of-band update. Full advisory here: portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

Vulnerability Details:

Due to the severity of the flaw, full exploitation details have been withheld but researchers have already posted proof-of-concepts showing DOS and privilege escalation capabilities through CVE-2020-0796, which means malicious actors are likely close behind.

Microsoft have released the following notes regarding exploitation:

  • To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.
  • To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.

Successful exploitation of the vulnerability would grant the attacker arbitrary code execution in both SMB Server and SMB Client. Once a network device has been compromised, the malware could spread laterally within the network by searching for further vulnerable systems.

Recommendations:

It is advised that affected systems should be updated as soon as possible, however, disabling SMBv3 compression can also be used as a temporary workaround. Administrators should also consider blocking TCP port 445 at the enterprise perimeter firewall to protect devices from internet-based attacks.

The below PowerShell command disables SMB compression and can be used to block attackers from exploiting vulnerable SMBv3 servers (Please note this does not prevent exploitation of SMB clients):

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force

The full advisory can be found here: portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

Links:

threatpost.com/wormable-unpatched-microsoft-bug/153632/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

blog.qualys.com/laws-of-vulnerabilities/2020/03/11/microsoft-windows-smbv3-remote-code-execution-vulnerability-cve-2020-0796

www.tenable.com/blog/cve-2020-0796-wormable-remote-code-execution-vulnerability-in-microsoft-server-message-block

www.bleepingcomputer.com/news/security/48k-windows-hosts-vulnerable-to-smbghost-cve-2020-0796-rce-attacks/