If you are a Verve Security Center customer or an HCL BigFix customer you can use the following Fixlet and information in making a decision to remediate prior to patch availability.
Note: This remediation does not require a reboot to apply and take effect.
If you are a Verve Security Center customer please reach out to your Verve Support representative for assistance. Additional information will be made available as it becomes available.
Note: I am not affiliated with Microsoft, HCL, or IBM.
This vulnerability is “Wormable” in the sense that an infected host can be used to further infect other hosts on its network segment. This is because both the SMBv3 Server and Client components are vulnerable. An attacker can use a SMBv3 Slient to infect a SMBv3 Server and then use the SMBv3 Server to infect SMBv3 Clients.
Due to KASLR (Kernel Address Space Layout Randomization) this vulnerability cannot be used by itself to infect systems, it will have to be chained with another zero-day vulnerability for it to be useful to attackers.
Vulnerable Systems
Vulnerable Windows Versions:
Windows Server, Version 1903
Windows Server, Version 1909
Windows 10, Version 1903
Windows 10, Version 1909
Remediation
All Windows machines function as both SMBv3 Servers and SMBv3 Clients.
This remediation disables SMBv3 Compression which will make SMBv3 Server components not vulnerable and thus prevent the vulnerablity from being “wormable”.
That being said SMBv3 Clients will remain vulnerable after applying the remediation.
Disabling SMBv3
There is no way to disable only SMBv3 on a Windows 10 system, you must disable SMBv2 and SMBv3 – with Windows no longer shipping with SMBv1 enabled, disabling SMBv2 and SMBv3 will result in systems without any SMB connectivity.