TechGuard Blog

New Wormable SMB Vulnerability Disclosed

Microsoft published a security advisory (ADV200005) yesterday warning about yet another vulnerability in, yep you guessed it, SMB. This time the vulnerability is in SMBv3 and it has to do with a buffer overflow in the code that SMBv3 uses to handle decompression.  

UPDATE:

Since the time of posting the article Microsoft has published an emergency patch for CVE-2020-0796.  We urge that you deploy this patch as soon as possible:

https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762

 

“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.” Microsoft explained.

The good news is that so far there has been no exploit code or proof of concept code released unlike the nightmare that was (and still is) EternalBlue. This vulnerability affects both your SMB servers that are using SMBv3 as well as clients (workstations). The bad news is there is no patch yet available for this vulnerability dubbed CVE-2020-0796. This vulnerability is considered wormable because it would be easy for an attacker that has developed working exploit code to program it in such a way that it self-replicates to other vulnerable servers in reach to begin a chain reaction, not unlike WannaCry.

What can you do to protect your IT assets? Below are some recommended workarounds, each one independent of the others so you can implement one or all of them depending on what works for your business.

1. Disable SMBv3 Compression (only works for SMB servers, not Clients)

You can do this from the PowerShell command prompt by issuing the following command (no reboot is required):

Set-ItemProperty -Path

"HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"

DisableCompression -Type DWORD -Value 1 -Force

2. Block TCP port 445 at the firewall

As a best practice you shouldn’t have SMB open to the internet anyway, however, if you have a business need that requires it then you’ll have to make your own determination as an organization based on the additional risk this vulnerability is going to generate.

3. Prevent lateral connections and entering or leaving the network

You can follow Microsoft’s guide “Preventing SMB traffic from lateral connections and entering or leaving the network” which reviews perimeter firewall options, host-based firewall options, as well as disabling SMB services for those organizations that do not require it.

Hopefully, the workaround mitigation steps will keep you secure in the meantime, however, you’ll certainly want to keep an eye out for a patch (hopefully soon) coming from Microsoft on this one.  

 

Written by Zach Turpen

Zach Turpen is a Cybersecurity Expert at TechGuard Security where he conducts penetration tests, vulnerability assessments, social engineering exercises and develops detailed incident response procedures. With experience spanning over 6 years in a Fortune 100 environment he is also CISSP, CEH, GSEC, Security+, Splunk, Rapid 7, ITIL and VMware certified. Zach graduated Summa Cum Laude from McKendree University with a bachelor’s degree in Computer Information Systems. He has worked on the front line of security as an Incident Responder, as a Lead Security Engineer implementing multi-million-dollar projects (SIEM, NGAV, Web Proxies, NGFW) and as a Security Architect migrating business applications to the cloud. In his spare time Zach enjoys spending time with his wife and two kids, gardening and kayak fishing.