CERT-EU warns of SMBv3 vulnerability CVE-2022-24508, fix through Windows March 2022 updates

Sicherheit (Pexels, allgemeine Nutzung)[German]With the March 8, 2022 security updates for Windows, Microsoft has fixed a number of vulnerabilities. Among them is a Remote Code Execution vulnerability (REC) in Windows SMBv3 Client/Server that is rated as important. CERT-EU issued a recent advisory warning about this SMBv3 vulnerability, CVE-2022-24508, and recommends promptly installing updates or applying measures to prevent exploitation of the vulnerability. Fortunately, exploitation requires authentication by the attacker and exploitation in the wild is also not known so far.


Advertising

SMBv3 vulnerability CVE-2022-24508

I became aware of the CERT-EU warning about the SMBv3 vulnerability CVE-2022-24508 via the following tweet. CERT-EU describes the details in this post.

SMBv3-Schwachstelle CVE-2022-24508

The vulnerability CVE-2022-24508 in SMBv3 compression allows authenticated attackers to remotely execute code through affected clients or servers. All Windows versions from 2004 onwards are affected:

  • Windows 10 Version 20H2
  • Windows 10 Version 21H1
  • Windows 10 Version 21H2
  • Windows 11
  • Windows Server 2022
  • Windows Server 2022 (Server Core installation)
  • Windows Server 2022 Azure Edition Core Hotpatch

According to Microsoft, no attacks on this vulnerability have been reported so far. Details about this vulnerability have not been published yet. The recommendation of CERT-EU is to mitigate this vulnerability in a timely manner.

Update Windows or apply workaround

Microsoft has released security updates for the affected versions of Windows as of March 8, 2022, to address the CVE-2022-24508 vulnerability in the SMBv3 client/server implementation. The updates were described in the blog posts below. 


Advertising

Patchday: Windows 10-Updates (March 8, 2022)
Patchday: Windows 11/Server 2022 updates (March 8, 2022)

With Windows Server 2022, there may be a problem that after the update installation, various roles for remote desktop gateways no longer exist or work. I had described the details in the blog post Windows Server 2022: March 2022 update KB5011497 breaks remote desktop gateway role.  

Fortunately, older versions of Windows are not affected and the attacker would need to be authenticated to exploit the vulnerability. Those who cannot install the update in a timely manner due to the above or other issues should apply the workarounds described by Microsoft in the support article about CVE-2022-24508

  • Disable SMBv3 compression
  • Block TCP port 445 on the corporate firewall from external access

The Microsoft article mentions the following PowerShell command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

to disable SMBv3 compression on an SMBv3 server. No reboot is required after the change.

Warning: This workaround does not prevent exploitation of the vulnerability on SMB clients. Microsoft has published this post with instructions here. 

Similar articles
Microsoft Security Update Summary (March 8, 2022)
Patchday: Windows 10-Updates (March 8, 2022)
Patchday: Windows 11/Server 2022-Updates (March 8, 2022)
Windows 7/Server 2008R2; Windows 8.1/Server 2012R2: Updates (March 8, 2022)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.