Vulnerability of severity `` emergency '' in Windows 10 file sharing protocol, patch is being prepared, but there is a workaround


by DobaKung

Microsoft has updated the security advisory ADV200005 with its regular release on March 11, 2020, to make it vulnerable to the process of handling certain requests with the Server Message Block version 3.1.1 (SMBv3) file sharing protocol. Announced that there is. This vulnerability is `` the ability to remotely execute code on SMBv3 server or client '', and it is said that Windows 10 versions 1903 and 1909, Windows Server versions 1903 and 1909 will be affected, and the severity is Critical (Urgent) It has become.

ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005


MS.SMB.Server.Compression.Transform.Header.Memory.Corruption | IPS | FortiGuard
https://fortiguard.com/encyclopedia/ips/48773


CVE-2020-0796: 'Wormable' Remote Code Execution Vulnerability in Microsoft Server Message Block SMBv3 (ADV200005)-Blog | Tenable®
https://www.tenable.com/blog/cve-2020-0796-wormable-remote-code-execution-vulnerability-in-microsoft-server-message-block


The vulnerability in the way certain requests are handled is due to a buffer overflow in the SMBv3 server, which is caused by an error in the handling of compressed data packets. An attacker could use this vulnerability to send specially crafted packets to execute arbitrary code on the SMBv3 server. By inviting SMBv3 clients to connect to a malicious SMBv3 server, an attacker could execute arbitrary code.

The versions of Windows affected by the vulnerability are:

・ Windows 10 version 1903 (32 bit)
・ Windows 10 version 1903 (64 bit)
・ Windows 10 version 1903 (ARM64)
・ Windows Server version 1903 (installed by Server Core )
・ Windows 10 version 1909 (32 bit)
・ Windows 10 version 1909 (64 bit)
・ Windows 10 version 1909 (ARM64)
・ Windows Server version 1909 (installed by Server Core)

The vulnerability was accidentally published by a security vendor on a blog before it was officially released by Microsoft. Although the information posted was immediately removed from the blog, it was already a hot topic among some security researchers. Microsoft released a security advisory on March 10, 2020, acknowledging the existence of the vulnerability.



Since the article was released immediately after receiving the leak, no patch was prepared for this vulnerability at the time of writing, and it is in the process of being prepared. A Microsoft spokeswoman commented, 'Nothing else can be shared from Microsoft beyond the information provided in the security advisory.'

However, Microsoft has shown a workaround as a way to disable SMBv3 server compression by entering the following command in PowerShell :

[code] Set-ItemProperty -Path 'HKLM: \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters' DisableCompression -Type DWORD -Value 1 -Force [/ code]



Microsoft also recommends that you not only disable compression on SMBv3 servers, but also block inbound and outbound TCP port 445 on the perimeter firewall. However, although these workarounds can prevent exploitation of vulnerabilities in the SMBv3 server, it should be noted that the underlying vulnerability itself has not been fixed.

in Software,   Security, Posted by log1i_yk