This month’s Patch Tuesday, Microsoft disclosed a remote code execution vulnerability in SMB 3.1.1 (v3) protocol. Even though initial release of the Patch Tuesday did not mention this vulnerability, details of the issue (CVE-2020-0796) were published accidentally on another security vendor’s blog. Microsoft published security advisory ADV200005 and technical guidance soon after the accidental disclosure of the vulnerability.
UPDATE March 12, 2020: Microsoft updated ADV200005 to include CVE-2020-0796 and released patches for affected Windows systems.
A critical remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 protocol handles certain requests. An unauthenticated attacker could exploit the vulnerability to execute arbitrary code on SMB server by sending a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
Affected Operating Systems
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
Microsoft released patches and have provided workarounds in a security advisory: disable SMBv3 compression and block the 445 TCP port on client computers and firewalls to prevent attackers from exploiting the vulnerability.
Update: There were no reports of active exploitation or PoC available in public domain at the time of initial release of this post.
On March 12, Kryptos Logic published a proof-of-concept, demonstrating the use of exploit code to crash vulnerable hosts (Denial of Service).
On March 13, a POC was published on GitHub that explained how “CVE-2020-0796 is caused by a lack of bounds checking in offset size, which is directly passed to several subroutines. Passing a large value causes buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit.”
Systems with port 445 exposed to the Internet are at high risk for this vulnerability.
Detecting CVE-2020-0796 with Qualys VM
Qualys has issued QID 91614 for Qualys Vulnerability Management that covers CVE-2020-0796 across all impacted operating systems. This QID will be included in signature version VULNSIGS-2.4.837-4, and requires authenticated scanning or the Qualys Cloud Agent. Cloud Agents will automatically receive this new QID as part of manifest version 2.4.837.4-3. Details of the detection are also available at Microsoft Security Alert: March 10, 2020.
QID 91614 : Microsoft Guidance for Disabling SMBv3 Compression Not Applied (ADV200005)
This QID checks if SMBv3 is enabled on the host and if the following workaround is not applied –
DisableCompression -Type DWORD -Value 1
Update: Qualys released QID 91616 to check for patches applied for CVE-2020-0796 across all impacted operating systems using authenticated scanning or the Qualys Cloud Agent. All new changes are included in signature version VULNSIGS-2.4.841-3.
QID 91616: Microsoft Windows SMBv3 Compression Remote Code Execution Vulnerability (KB4551762)
Details on Qualys QIDs 91614 and 91616:
Along with the two confirmed vulnerability QIDs, Qualys also released the following IG QID, to help customers track assets on which they have the mitigation applied. This QID can be detected via remote unauthenticated and authenticated scans or via Qualys Cloud Agent.
QID 48086: Microsoft Server Message Block (SMBv3) Compression Disabled
You can search within the VM Dashboard by using the following QQL query:
You can also track all hosts impacted by CVE-2020-0796 vulnerability in your environment with the Microsoft RCE SMBv3 Vulnerability Dashboard that leverages data in your Qualys Vulnerability Management subscription, as shown below:
Qualys Threat Protection
Qualys customers can locate vulnerable hosts through Qualys Threat Protection. This helps accelerate identification and tracking of this vulnerability.
Simply click on the impacted assets number to see a list of hosts with this vulnerability.
- Disable SMBv3 compression
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below –
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
- Block TCP port 445 at the enterprise perimeter firewall
TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability.
Customers should install patch updates KB4551762 for affected operating systems to be protected from this vulnerability.