Updated on March 12th, 2020: to reflect that Microsoft has now made a patch for the vulnerability available. As such, we’ve updated the advisory reflects updated mitigations.
Summary
On March 10th, a critical Remote Code Execution (RCE) vulnerability in the Microsoft Server Message Block (SMBv3) protocol was inadvertently disclosed. The vulnerability, known as CVE-2020-0796, is caused by how newer Windows operating systems handle certain requests, specifically compressed SMBv3 packets. Microsoft intended to release a patch for this vulnerability as part of March’s “Patch Tuesday”, however, the patch appears to have been pulled at the last minute. This led to the inadvertent disclosure of the issue before a patch is available. The flaw, considered critical, and could allow attackers to execute arbitrary code without user interaction and without authentication.
This critical vulnerability is considered “wormable” as it leads to pre-authenticated remote code execution of the Windows server implementation of SMBv3. To exploit the vulnerability on a Windows machine acting as an “SMB server”, unauthenticated attackers can simply send a maliciously crafted packet to a targeted SMBv3 Server. Once an attacker has successfully compromised one system, they can attempt to automatically exploit other reachable SMB servers. However, to exploit an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
The Windows implementation of the SMB protocol was recently exploited by WannaCry, NotPetya and other recent attacks, enabled by a leak of reliable equation group exploits in 2017. However, Due to the difficulty in successfully and reliably exploiting such vulnerabilities, the Cyber Fusion Center does not expect to see immediate mass exploitation attempts. There are currently no publicly available exploits targeting this vulnerability and there are several Microsoft Windows exploit mitigations that make building a successful and reliable exploit very difficult.
While they are no current public exploits, the Cyber Fusion Center strongly recommends mitigating the vulnerability as soon as possible.
Note: On March 12, 2020, Microsoft released an out-of-band patch for this vulnerability. The Cyber Fusion Center strongly recommends that organizations apply the patch as soon as possible, especially on SMB servers such as Active Directory domain controllers and file shares. If it’s not possible to patch in the very near future, the Cyber Fusion Center recommends disabling compression for the SMBv3 protocol with the commands in the “Temporary Mitigations” section of this advisory.
Affected software
- Microsoft Windows 10 Version 1903 (May 2019 update)
- Microsoft Windows 10 Version 1909 (v1909)
- Microsoft Windows Server Version 1903 (Server Core Installation)
- Microsoft Windows Server Version 1909 (Server Core Installation)
Impact
Attackers who successfully exploit this vulnerability can execute arbitrary code within the context of the SMBv3 process. The vulnerability is considered “wormable” as it allows for pre-authenticated remote code execution without any user interaction.
Mitigation
On March 12th, 2020 (one day after “Patch Tuesday”) Microsoft released out-of-band patches for this severe vulnerability in Window’s implementation of SMBv3 compression. The Cyber Fusion Center strongly recommends organizations apply this patch rather than use the temporary mitigations outlined below.
The patch is available via the traditional Microsoft Update delivery process and on the Microsoft Security Response Centers website.
Temporary Mitigation
While there is no patch for this vulnerability yet, it’s possible to mitigate the issue on SMB servers by disabling support for compression on the SMBv3 protocol.
Windows administrators can disable compression to prevent unauthenticated attackers from exploiting the vulnerability on SMBv3 Servers by using the PowerShell command below.
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
Important Information:
- No reboot Is required after making this change
- This workaround does not prevent exploitation of SMB clients
If necessary, you can rollback this change with the Powershell command bellow:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force
Additional Recommendations
The Cyber Fusion Center also strongly recommends that organizations mitigate the potential of an attack on a Windows 10 client by blocking all outbound SMB (TCP port 445) on corporate firewalls.
Additionally, Microsoft has published guidelines for preventing lateral SMB connections and preventing SMB traffic from entering or leaving the corporate network provides details on how to mitigate this vulnerability and other attackers in the future:
https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections
Sources
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
- https://www.zdnet.com/article/details-about-new-smb-wormable-bug-leak-in-microsoft-patch-tuesday-snafu
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
- https://blog.claroty.com/advisory-new-wormable-vulnerability-in-microsoft-smbv3
.jpg)
- MITRE ATT&CK & D3FEND: Step-by-Step Guide to Closing Security Visibility Gaps - September 5, 2022
- “INCONTROLLER” / “PIPEDREAM” ICS Toolkit Targeting Energy Sector - April 25, 2022
- 8 Tips for Choosing an MSSP - February 16, 2022