Microsoft SMBv3 Compression Vulnerability

Microsoft SMBv3 Compression Vulnerability

It was announced by Microsoft on March 10, 2020 that the SMBv3 protocol contains vulnerability with the code CVE-2020-0796.

It has been announced that an attacker who successfully exploited this vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

To exploit a vulnerability in an SMB server, it has been communicated that an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server.

It has been reported that to exploit this vulnerability, an unauthenticated attacker must configure a malicious SMBv3 Server and convince the user to connect to it.

Microsoft has announced a temporary solution for this vulnerability.

SOLUTION/RECOMMENDATION

Until the security update is released by Microsoft, the temporary solution in the following is recommended.

Disabling SMBv3 Compression

To prevent unauthenticated attackers from exploiting a SMBv3 Server vulnerability, you can disable compression with the following PowerShell command:

Set-ItemProperty-Path "HKLM: \ SYSTEM \ CurrentControlSet \ Services / \ LanmanServer \ Parameters" DisableCompression -Type DWORD -Value 1 –Force

Notes:

1. This change does not require reboot.
2. This temporary solution does not prevent the vulnerability of SMB clients.
3. This temporary solution can be disabled with the following PowerShell command:

Set-ItemProperty-Path"HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

The temporary solution published by Microsoft; It must be implemented urgently on all relevant servers before any security incident occurs. Using vulnerability detection systems, all systems should be scanned for this vulnerability and the detected servers should be improved as soon as possible. In addition, if possible, it will be useful to activate signatures related to this vulnerability in security devices.

Before moving on to all systems, it is recommended that the update must be tested to avoid any interruptions over the service.

Operating Systems

Microsoft Client and Microsoft Server systems

Versions

Microsoft Windows 10, Microsoft Windows Server

CVE / CWE

CVE-2020-0796

Additional Information

1. https://www.zdnet.com/article/details-about-new-smb-wormable-bug-leak-in-microsoft-patch-tuesday-snafu/
2. https://www.bleepingcomputer.com/news/security/microsoft-leaks-info-on-wormable-windows-smbv3-cve-2020-0796-flaw/
3. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

Current Security Vulnerability Reports