Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796)
This Patch Tuesday, Microsoft disclosed a remote code execution vulnerability in SMB 3.1.1 (v3) protocol. Even though initial release of the Patch Tuesday did not mention this vulnerability, details of the issue (CVE-2020-0796) were published accidentally on another security vendor’s blog. Microsoft published security advisory ADV200005 and technical guidance soon after the accidental disclosure of the vulnerability.
The Vulnerability
A critical remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 protocol handles certain requests. An unauthenticated attacker could exploit the vulnerability to execute arbitrary code on SMB server by sending a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
Affected Operating Systems
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
Currently, there is no patch available for this vulnerability. However, Microsoft has provided workarounds in a security advisory: disable SMBv3 compression and block the 445 TCP port on client computers and firewalls to prevent attackers from exploiting the vulnerability.
Detecting CVE-2020-0796 with Qualys VM
Qualys has issued QID 91614 for Qualys Vulnerability Management that covers CVE-2020-0796 across all impacted operating systems. This QID will be included in signature version VULNSIGS-2.4.837-4, and requires authenticated scanning or the Qualys Cloud Agent. Cloud Agents will automatically receive this new QID as part of manifest version 2.4.837.4-3. Details of the detection are also available at Microsoft Security Alert: March 10, 2020.
QID 91614 : Microsoft Guidance for Disabling SMBv3 Compression Not Applied (ADV200005)
This QID checks if SMBv3 is enabled on the host and if the following workaround is not applied –
“HKLMSYSTEMCurrentControlSetServicesLanmanServerParameter”;
DisableCompression -Type DWORD -Value 1
You can search for this within the VM Dashboard by using the following QQL query:
vulnerabilities.vulnerability.cveIds:CVE-2020-0796
vulnerabilities.vulnerability.qid:91614
Qualys Threat Protection
Qualys customers can locate vulnerable hosts through Qualys Threat Protection. This helps accelerate identification and tracking of this vulnerability.
Workaround
- Disable SMBv3 compression
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below –
Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD -Value 1 -Force
- Block TCP port 445 at the enterprise perimeter firewall
TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability.
- NSA Announces Sandworm Actors Exploiting Exim MTA Vulnerability (CVE-2019-10149)
- Automatically Discover, Prioritize and Remediate Windows Adobe Type Manager Library Remote Code Execution Vulnerability (ADV200006) using Qualys VMDR
- Microsoft Released Out-of-Band Advisory – Windows Adobe Type Manager Library Remote Code Execution Vulnerability (ADV200006)
*** This is a Security Bloggers Network syndicated blog from The Laws of Vulnerabilities – Qualys Blog authored by Animesh Jain. Read the original post at: https://blog.qualys.com/laws-of-vulnerabilities/2020/03/11/microsoft-windows-smbv3-remote-code-execution-vulnerability-cve-2020-0796
