Luke Rummey

20200311

Microsoft have just released a security advisory about a new critical vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3). Server Message Block (SMB) is a protocol used to share resources and data between and client and a server. It is very commonly found on internal networks for users to authenticate and share files using a central server.

According to Microsoft this bug is wormable, meaning it can spread automatically between computers. This is similar to the vulnerability which was used by the WannaCry ransomware which took down parts of the NHS in 2017.

Very little information is currently known about this new flaw and the time it takes before a working exploit is created is unknown. If the vulnerability is easy to exploit, we could see real attacks in the wild, possibly, as soon as the end of the week.

Microsoft have not yet released a patch for this vulnerability, but we expect one to be released very soon. In the meantime, they have released a workaround (see below).

Workaround – Disable SMBv3 compression

The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place:
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Notes:

  • No reboot is needed after making the change.
  • This workaround does not prevent exploitation of SMB clients; please see item 2 under FAQ to protect clients.

You can disable the workaround with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

References:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005

The following versions of Microsoft Windows and Windows Server are affected:

  • Windows Server Version 1903 (Server Core Installation)
  • Windows Server Version 1909 (Server Core Installation)
  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based System

 

Other resources

Case studies

Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >

Video

See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >

Whitepapers

In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >