SMB remote code execution vulnerability – CVE-2020-0796

Microsoft has recently issued an announcement to protect against a new vulnerability CVE-2020-0796

The Recently Revealed SMBv3 Vulnerability: Facts and highlights

The tech community was taken by a surprise this week when a vulnerability in the extremely secure SMB3.1.1 was accidentally revealed in a Microsoft patch update. The remote code execution vulnerability (CVE-2020-0796) currently does not have an official patch, but workarounds are available.
The SMBv3 vulnerability assumes importance in the light of the recent malware attacks such as WannaCry

NotPetya, which utilized flaws in the older and flawed SMB1 protocol.
The SMBv3 protocol suite is the latest and most secure server message block protocol used for accessing and sharing files, printers and resources over networks. As of today, no malicious code or a hacking attempt has been reported that exploits the newly discovered flaw.
This Tuesday (the ‘Patch Tuesday’ for Windows), Microsoft rolled out its usual fixes and patches for newly found vulnerabilities in the Windows systems. However, there was one patch that was missing. In the meanwhile, Cisco Talos and Fortinet published a vulnerability named ‘CVE-2020-0796’ that was without a patch. This information was quickly removed, but did not go unnoticed. Later in the day, Microsoft published its advisory.

Who is affected

ARM64, Windows 32 and 64-bit editions, Windows 10 (1903 and 1909), and Windows Server (versions 1903 and 1909).

What’s the issue

The flaw reportedly allows hackers to launch a ‘worm’ attack on clients and servers by using a malicious, compressed data packet. The SMB vulnerability can let an unauthorized attacker to run any code as part of an application.
According to the Microsoft advisory, “To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
This attack is also ‘wormable’, that is, the attacker can exploit one system, which, in turn, goes on to infect another.

What should be done?

While Microsoft is yet to issue a patch, there are a couple of workaround solutions to protect Windows systems.
1. One is to disable compression using a PowerShell command:

“Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 –Force “

2. Block the TCP Port 445 so as to stop the malicious code on the periphery firewall.
The SMBv1 protocol has now been discontinued and replaced in new Windows systems by the advanced dialects of SMBv3.
Meanwhile, everyone is awaiting patches from Microsoft. According to all forecasts, the company will release them quite soon. 

Lilia Wasserman, VP R&D, Visuality Systems

Lilia Wasserman, VP R&D, Visuality Systems

Visuality Systems confirms that its SMBv3.x related products are not affected by the Microsoft Windows CVE-2020-0796 vulnerability.
Share Via
Related Articles
Share Via
Table of Contents

Visuality systems uses technical, analytical, marketing, and other cookies. These files are necessary to ensure smooth operation of Voltabelting.com site and services and help us remember you and your settings. For details, please read our Privacy policy

Skip to content