March 12, 2020 by Tal Widerman
The Recently Revealed SMBv3 Vulnerability: Facts and highlights
The tech community was taken by a surprise this week when a vulnerability in the extremely secure SMB3.1.1 was accidentally revealed in a Microsoft patch update. The remote code execution vulnerability (CVE-2020-0796) currently does not have an official patch, but workarounds are available.
The SMBv3 vulnerability assumes importance in the light of the recent malware attacks such as WannaCry and NotPetya, which utilized flaws in the older and flawed SMB1 protocol.
The SMBv3 protocol suite is the latest and most secure server message block protocol used for accessing and sharing files, printers and resources over networks. As of today, no malicious code or hacking attempt has been reported that exploits the newly discovered flaw.
This Tuesday (the ‘Patch Tuesday’ for Windows), Microsoft rolled out its usual fixes and patches for newly found vulnerabilities in the Windows systems. However, there was one patch that was missing. In the meanwhile, Cisco Talos and Fortinet published a vulnerability named ‘CVE-2020-0796’ that was without a patch. This information was quickly removed, but did not go unnoticed. Later in the day, Microsoft published its advisory.
Who is affected
ARM64, Windows 32 and 64-bit editions, Windows 10 (1903 and 1909), and Windows Server (versions 1903 and 1909).
What’s the issue
The flaw reportedly allows hackers to launch a ‘worm’ attack on clients and servers by using a malicious, compressed data packet. The SMB vulnerability can let an unauthorized attacker to run any code as part of an application.
According to the Microsoft advisory, “To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
This attack is also ‘wormable’, that is, the attacker can exploit one system, which, in turn, goes on to infect another.
What should be done?
While Microsoft is yet to issue a patch, there are a couple of workaround solutions to protect Windows systems.
1. One is to disable compression using a PowerShell command:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 –Force
2. Block the TCP Port 445 so as to stop the malicious code on the periphery firewall.
The SMBv1 protocol has now been discontinued and replaced in new Windows systems by the advanced dialects of SMBv3.
Meanwhile, everyone is awaiting patches from Microsoft. According to all forecasts, the company will release them quite soon.
Visuality Systems confirms that the SMBv3.x related products are not affected by the Microsoft Windows CVE-2020-0796 vulnerability.