Select Page

Luke Rummey

20200311

Microsoft have just released a security advisory about a new critical vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3). Server Message Block (SMB) is a protocol used to share resources and data between and client and a server. It is very commonly found on internal networks for users to authenticate and share files using a central server.

According to Microsoft this bug is wormable, meaning it can spread automatically between computers. This is similar to the vulnerability which was used by the WannaCry ransomware which took down parts of the NHS in 2017.

Very little information is currently known about this new flaw and the time it takes before a working exploit is created is unknown. If the vulnerability is easy to exploit, we could see real attacks in the wild, possibly, as soon as the end of the week.

Microsoft have not yet released a patch for this vulnerability, but we expect one to be released very soon. In the meantime, they have released a workaround (see below).

Workaround – Disable SMBv3 compression

The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place:
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Notes:

  • No reboot is needed after making the change.
  • This workaround does not prevent exploitation of SMB clients; please see item 2 under FAQ to protect clients.

You can disable the workaround with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

References:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

The following versions of Microsoft Windows and Windows Server are affected:

  • Windows Server Version 1903 (Server Core Installation)
  • Windows Server Version 1909 (Server Core Installation)
  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based System

 

Other resources

What is Consultancy?

Our cybersecurity consultants will assess your infrastructure, systems and networks before devising solutions to protect your business based on your needs.

Why is it important?

Cyber consulting services bring in a broad range of skills, experience and technologies that can be difficult to acquire, develop and retain internally.

How can we help you?

Wherever you are on your cyber journey, we can analyse your business based on our decades of experience, and provide pragmatic advice to help your business succeed and grow.