A critical remote code execution vulnerability was found in SMBv3 protocol, affecting servers and client machines serving an SMB share. An unauthenticated SMV client can execute arbitrary code with elevated privileges, which could allow an attacker to take full control over the attacked system. This vulnerability has the potential for a wormable attack, meaning that the vulnerability could be exploited automatically from vulnerable system to vulnerable system. CVE-2020-0796
Currently by Microsoft confirmed vulnerable systems as in https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005:
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
Fixing and mitigation
On March 12 2020, Microsoft has released a security patch that fixes the vulnerability.
Please apply as soon as possible the updates from https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
If you cannot patch the systems immediately, please strongly consider following this workaround from Microsoft:
Apply it to all servers and workstations that serve an SMB share. In addition, make sure that firewall rules on the border firewall and on endpoints prevent connections to the vulnerable service if applicable.
Disable SMBv3 compression
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
- No reboot is needed after making the change.
You can disable the workaround with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
- Version 1.1 - TLP:WHITE - added MS patch - 12 March 2020
- Version 1.0 - TLP:WHITE - First version - 11 March 2020