- A wormable flaw on SMBv3 has been published, but not fixed by Microsoft yet.
- The company offered some workarounds and promised to release a patch soon.
- All versions before Windows 10 1903 are safe from this vulnerability, as they don’t support SMB compression.
Although Microsoft has pushed its biggest-ever security patch yesterday, there’s one flaw that was left out and got accidentally published by the tech giant on March 10. Carrying the identifier “CVE-2020-0796”, this is a critical flaw in the SMBv3 (Server Message Block 3.1.1) network communications protocol. Microsoft has disclosed the flaw by mistake through the “Active Protections Program,” which is meant to link the company with various security vendors. While they retracted the technical information right after it was published, people took note of the bug and figured that it’s a pretty nasty one.
The particular vulnerability enables a malicious actor to launch a remote code execution (RCE) attack by using a specially-crafted packet and sending it to the target SMBv3 server. The only prerequisite for this would be to connect to the target server first. The execution can take place on either the server or the SMB client, and, unfortunately, it’s a wormable flaw. Microsoft understands the criticality of the vulnerability and will fix it as quickly as possible, but right now, there’s no patch to plug the flaw. The vulnerable systems are the following:
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
Windows versions older than 10 v1903 are not affected by this vulnerability, as support for SMBv3.1.1 compression was added recently. There have been no confirmed cases of exploiting CVE-2020-0796 in the wild. However, with Microsoft having published the technical details about the flaw two days ago, it is only a matter of time before seeing it used for malicious purposes. If you are the administrator of an SMB server, you should use the following PowerShell command to block any attacks:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 –Force
In addition, SMB clients should block TCP port 445 at the enterprise perimeter firewall, exactly as they did with WannaCry. This won’t protect systems from attacks that stem from within the enterprise perimeter, so keep that in mind. Of course, everyone is advised to apply the fixing patches as soon as Microsoft releases them, and this shouldn’t take too long now.