Threat Response: Vulnerability in Microsoft SMBv3 (CVE-2020-0796)

10-03-2020

A SAFE DIGITAL JOURNEY

On Tuesday 10 March, information regarding a serious vulnerability in Microsoft’s SMBv3 protocol has been published [1][2]. The vulnerability can lead to remote code execution. Via this message, we would like to inform you about the threat, and the possible mitigation steps that can be taken.

Description

A vulnerability exists in the way a compressed packet is handled in the SMBv3. An unauthenticated attacker may be able to execute arbitrary code on a machine remotely by exploiting the vulnerability. To do so, an attacker must craft a malicious packet themselves, and send this to a SMB server. Both the SMB Server and SMB Client are vulnerable, within the following Windows versions:

  • Windows 10 (version 1903 and 1909)
  • Windows Server 2019 (version 1909)

Impact

Microsoft has declared that the vulnerability is ‘wormable’, which may lead to rapid spreading of malware after the initial attack. However, at this moment, no exploit is publicly available. Furthermore, it is not yet clear how easily the vulnerability can be exploited. When an exploit becomes publicly available, the chances are high that malware may spread easily, similar to the EternalBlue vulnerability in SMB (CVE-2017-0144).

Risk

Northwave estimates the impact of the vulnerability to be High, but the probability to be Medium, because no public exploit is known yet. If an exploit becomes publicly available, the risk will increase to High/High.

Mitigation

At this moment, Microsoft has not yet released an update to fix the vulnerability. Instead, Microsoft has advised to disable SMBv3 compression on SMB Servers, which can be used as a temporary workaround for SMB Servers [3]. SMB Clients will remain vulnerable, as there are no workaround available for SMB Clients.

We recommend to install updates as soon as possible after they have become available, even when the workaround has been performed. Furthermore, standard preventative measures regarding SMB are recommended, like blocking incoming traffic to port 445 to prevent external connections over the SMB protocol.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://www.kb.cert.org/vuls/id/872016/

[2]: https://www.bleepingcomputer.com/news/security/microsoft-leaks-info-on-wormable-windows-smbv3-cve-2020-0796-flaw/

[3]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.