A critical vulnerability was found in Windows Server Message Block version 3 (SMBv3) that an attacker could potentially exploit using a WannaCry-style attack. The vulnerability can be combined with a worm so that one infected machine could infect all other vulnerable devices connected to the network.
This vulnerability in the SMBv3 communication protocol entails a pre-auth remote code execution because of an error that happens when SMBv3 deals with maliciously created compressed data packets. When exploited, an unauthenticated attacker can execute arbitrary code within the framework of the application and completely control a vulnerable system. The attacker can exploit the vulnerability remotely by sending an exclusively created packet to a particular SMBv3 server.
The vulnerability monitored as CVE-2020-0796, impacts Windows Server Version 1903 (Server Core installation), Windows 10 Version 1903, Windows Server Version 1909 (Server Core installation) and Windows 10 Version 1909. There’s no confirmation yet regarding the vulnerability of earlier Windows versions like Windows 8 and Windows Server 2012.
Fortinet and Cisco Talos posted on their blogs a summary of the SMBV3 vulnerability, though Cisco Talos removed the post later. Microsoft was expected to release a patch for the vulnerability on March 2020 Patch Tuesday, however, a total fix wasn’t ready yet.
There is no published proof of concept exploits for the vulnerability online yet and there was no report of vulnerability exploitation cases in the wild; nonetheless, Microsoft advises Windows administrators to take action to safeguard against exploitation until the release of a patch to fix the vulnerability.
- Deactivate SMBv3 compression
- Blocking of TCP port 445 on the network perimeter firewall
- Obstruction of port 445 is the recommended defense versus web-based attacks, however it won’t stop exploitation from inside the enterprise firewall.
SMBv3 compression could be deactivated on SMBv3 servers by utilizing the PowerShell command: Set-ItemProperty -Path “HKLM:” DisableCompression -Type DWORD -Value 1 -Force. It is not required to reboot after making changes.
According to Microsoft, deactivating SMBv3 compression won’t stop the exploitation of SMB clients.
Applying the patch immediately after its release is necessary. There is no schedule yet concerning the release of the patch. Because of the severity of the vulnerability, it is likely that there will be an out-of-band patch released.