Windows SMBv3 0-day vulnerability CVE-2020-0796

[German]There is a serious but unpatched vulnerability in the SMBv3 network protocol in Windows. This could allow the spread of worms, but is not currently exploited. Microsoft provided the information in a security advisory yesterday.

I received the first notification from Microsoft in the form of a security advisory ADV200005:

Security Advisories Released or Updated on March 10, 2020
=============================================
* Microsoft Security Advisory ADV200005

– ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression
– Reason for Revision: Information published.
– Originally posted: March 10, 2020
– Updated: N/A
– Version 1.0

Details about CVE-2020-0796

Microsoft's implementation of the SMBv3 protocol contains a vulnerability (CVE-2020-0796) in the handling of compression. This vulnerability allows a remote attacker to execute arbitrary code on a vulnerable system without the need to authenticate. This is the 'wormable' scenario, which allows malware to spread over a network. This was found by Tenable and reported to Microsoft. Tenable refers to the vulnerability as EternalDarkness. According to Tenable the following Windows versions are affected:

• Windows Server Version 1903 (Server Core Installation)
• Windows Server Version 1909 (Server Core Installation)
• Windows 10 Version 1903 for 32-bit Systems
• Windows 10 Version 1903 for ARM64-based Systems
• Windows 10 Version 1903 for x64-based Systems
• Windows 10 Version 1909 for 32-bit Systems
• Windows 10 Version 1909 for ARM64-based Systems
• Windows 10 Version 1909 for x64-based Systems

This affects the implementation of Microsoft Server Message Block 3.1.1 (SMBv3). Microsoft writes that they are aware of the remote code execution vulnerability. The vulnerability is in how the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles specific requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB server or SMB client.

To exploit the vulnerability against an SMB server, an unauthenticated attacker would have to send a specially crafted packet to a target SMBv3 server. To exploit the vulnerability against an SMB client, an unauthenticated attacker would have to configure a malicious SMBv3 server and force a user to connect to it.

No update but a workaround available

Microsoft has not yet released an update to close the SMBv3 vulnerability. Yesterday's patchday (March 10, 2020) did not address the problem. In ADV200005, Microsoft is currently only suggesting switching off compression in the SMBv3 protocol as a workaround. To do this, open an administrative command prompt on the server and enter the following PowerShell statement:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

This command does not require a restart of the server. It should be noted, however, that this workaround does not prevent exploitation of the vulnerability on SMBv3 clients. To reverse the workaround later, type the following PowerShell statement at an administrative command prompt:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

Microsoft propose also in ADV200005 to block TCP port 445 in the firewall. his port is used to initiate a connection with the affected component. Blocking this port at the perimeter firewall (the gateway between the corporate network and the Internet) helps protect systems behind the firewall from attempts to exploit this vulnerability over the Internet. This can help protect networks from attacks originating outside the corporate network.

Similar articles:
Microsoft recommends disabling SMBv1 on Exchange
SMBv1 FAQ and Windows networks
Windows 10 Pro V1803: SMBv1 'special traps'
PSA: Windows 10 V1803: Update KB4284848 brings SMBv1 fix