TR-58 - CVE-2020-0796 - Critical vulnerability in Microsoft SMBv3 - status and mitigation

TR-58 - CVE-2020-0796 - Critical vulnerability in Microsoft SMBv3 - status and mitigation

Back to Publications and Presentations

  1. Overview
  2. Vulnerable systems
  3. Fixing and mitigation
  4. Workaround
  5. References
  6. Classification of this document
  7. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Overview

A critical remote code execution vulnerability was found in SMBv3 protocol, affecting servers and client machines serving an SMB share. An unauthenticated SMV client can execute arbitrary code with elevated privileges, which could allow an attacker to take full control over the attacked system. This vulnerability has the potential for a wormable attack, meaning that the vulnerability could be exploited automatically from vulnerable system to vulnerable system. CVE-2020-0796

Vulnerable systems

Currently by Microsoft confirmed vulnerable systems as in https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005:

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

Fixing and mitigation

On March 12 2020, Microsoft has released a security patch that fixes the vulnerability.

Please apply as soon as possible the updates from https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

Workaround

If you cannot patch the systems immediately, please strongly consider following this workaround from Microsoft:

Apply it to all servers and workstations that serve an SMB share. In addition, make sure that firewall rules on the border firewall and on endpoints prevent connections to the vulnerable service if applicable.

Disable SMBv3 compression

You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Notes:

  • No reboot is needed after making the change.

You can disable the workaround with the PowerShell command below. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

References

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.1 - TLP:WHITE - added MS patch - 12 March 2020
  • Version 1.0 - TLP:WHITE - First version - 11 March 2020