Identifying and Mitigating the CVE-2020–0796 flaw on the fly
CVE-2020–0796, is pre-remote code execution vulnerability that resides in the Server Message Block 3.0 (SMBv3) network communication protocol, which Microsoft will not address the issue as the part of the March 2020 Tuesday.
—
So Microsoft Server Message Block 3.1.1 (SMBv3) contains a vulnerability in the way that it handles connections that use compression. This vulnerability in a more technical way may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
How can this vulnerability be triggered?
The vulnerability is caused by an error in the way SMBv3 handles maliciously crafted compressed data packets, a remote, unauthenticated attacker could exploit the flaw to execute arbitrary code within the context of the application.
The Scannner in order to identify the vulnerability in your network. Can be found at my github repo.
Which devices does the CVE-2020–0796 affect?
Windows Server Version 1909 (Server Core Installation)
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems, although more versions should be affected given that SMBv3 was introduced in Windows 8 and Windows Server 2012.
Microsoft has not yet released an update to close the SMBv3 vulnerability. Yesterday’s patchday (March 10, 2020) did not address the problem.
The temporary workaround
The workaround should be applied to all servers and workstations that serve an SMB share. In addition, make sure that firewall rules on the border firewall and on endpoints prevent (block) inbound and outbound connections to the vulnerable service (445 TCP) if applicable.
Disable SMBv3 compression
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
Block inbound and outbound SMB
Consider blocking outbound SMB connections (TCP port 445 for SMBv3) from the local network to the WAN. Also ensure that SMB connections from the internet are not allowed to connect inbound to an enterprise LAN.
We applaud software developers creating new tools to make our lives easier, but each new step provides a new vector of attack. That’s why companies should be cautious when changing or updating their configurations, and always invest in proactive cyber defense
