ADV200005, CVE-2020-0796: Microsoft Guidance for Disabling SMBv3 Compression

strawgate · March 12, 2020, 5:40pm

An embargoed vulnerability has leaked which exposes a potential vulnerability in Windows 10 and Windows Server versions 1903 and 1909. The advisory is posted here: Security Update Guide - Microsoft Security Response Center

If you are a Verve Security Center customer or an HCL BigFix customer you can use the following Fixlet and information in making a decision to remediate prior to patch availability.

Version 1.0.0 of the Remediation fixlet is attached here:
Config - Disable SMBv3 Compression - Windows.bes (2.1 KB)

Note: This remediation does not require a reboot to apply and take effect.

If you are a Verve Security Center customer please reach out to your Verve Support representative for assistance. Additional information will be made available as it becomes available.

Note: I am not affiliated with Microsoft, HCL, or IBM.

strawgate · March 12, 2020, 5:45pm

My analysis of the advisory:

Wormable

This vulnerability is “Wormable” in the sense that an infected host can be used to further infect other hosts on its network segment. This is because both the SMBv3 Server and Client components are vulnerable. An attacker can use a SMBv3 Slient to infect a SMBv3 Server and then use the SMBv3 Server to infect SMBv3 Clients.

Due to KASLR (Kernel Address Space Layout Randomization) this vulnerability cannot be used by itself to infect systems, it will have to be chained with another zero-day vulnerability for it to be useful to attackers.

Vulnerable Systems

Vulnerable Windows Versions:
Windows Server, Version 1903
Windows Server, Version 1909
Windows 10, Version 1903
Windows 10, Version 1909

Remediation

All Windows machines function as both SMBv3 Servers and SMBv3 Clients.

This remediation disables SMBv3 Compression which will make SMBv3 Server components not vulnerable and thus prevent the vulnerablity from being “wormable”.

That being said SMBv3 Clients will remain vulnerable after applying the remediation.

Disabling SMBv3

There is no way to disable only SMBv3 on a Windows 10 system, you must disable SMBv2 and SMBv3 – with Windows no longer shipping with SMBv1 enabled, disabling SMBv2 and SMBv3 will result in systems without any SMB connectivity.

strawgate · March 12, 2020, 5:53pm

It appears Microsoft has fast published KB4551762 to address this vulnerability: March 12, 2020—KB4551762 (OS Builds 18362.720 and 18363.720) - EXPIRED - Microsoft Support

Here is a Fixlet to re-enable SMBv3 Compression after the patch has been applied:
Config - Enable SMBv3 Compression - Windows.bes (1.4 KB)

cjwolford · March 12, 2020, 9:27pm

any idea when KB4551762 will make it’s way down to bigfix?

strawgate · March 12, 2020, 10:47pm

Looks like it was made available just now.

cstoneba · March 13, 2020, 2:58pm

I wonder why no KB yet for Windows Server 1903/1909?

Meydey · March 13, 2020, 2:59pm

Fixlet 455176203 is only for Win10 v1903/1909
When can we expect the Server 2019 version of ths fixlet?

KB45511762
Applies to: Windows 10 version 1903, Windows Server version 1903, Windows 10 version 1909,Windows Server version 1909

cstoneba · March 13, 2020, 3:38pm

Hi, what is the reason for rel#4 in the shared fixlet?

not exists values "SMB2" whose (it = 0) of keys "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" of registry

strawgate · March 13, 2020, 6:17pm

Setting SMB2 to 0 in the windows registry disables both smbv2 and smbv3 (https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3)

cstoneba · March 13, 2020, 6:28pm

makes sense. thanks much

Meydey · March 16, 2020, 4:23pm

Has anyone tested the existing fixlet with Win10 relevance on a 2019 Server yet?