(CVE-2020-0796) ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression

Today, Microsoft issued an advisory titled ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression. According to the alert, Microsoft Server Message Block 3.1.1 (SMBv3) suffers from a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability, an attacker will have to create a specially crafted packet to a targeted SMBv3 server. To target a SMB client, an attacker will have to create a malicious SMBv3 server and convince a user to connect to it.

Specifics were not disclosed at this time and it appears findings were discovered by Microsoft's Platform Security Assurance and Vulnerability Research team.

No.

High. This out of band advisory essentially allows unauthenticated attackers to execute arbritrary code on a remote system. There have been reports that this latest vulnerability is wormable. The last significant wormable threat was the Wannacry ransomware of 2017 which also leveraged a SMB vulnerability from the Shadow Brokers release - for further propagation.

Windows 10 and Windows Server platforms.

The Microsoft Security Advisory ADV200005 suggests the following:

You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Notes:

1. No reboot is needed after making the change.

2. This workaround does not prevent exploitation of SMB clients.

You can disable the workaround with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

It is also advised to place all public facing SMB machines behind a firewall or VPN. It also suggested to block TCP 445 within your firewall at the network perimeter.

AV coverage is not feasible for this issue.

FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. If it is deemed that patching is not feasible, it is recommended that a risk assessment is conducted to determine additional mitigation safeguards within an environment.