UPDATE 3/12:

Microsoft has released a new KB4551762 cumulative update below that includes a security update to the Microsoft Server Message Block 3.1.1 (SMBv3).

KB4551762 CU Win 10 v1903 build 18362.720 and v1909 build 18363.720

Important March 12, 2020 - Microsoft has released CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability to address this vulnerability. For more information about this issue, including download links for an available security update, please review CVE-2020-0796.

Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

We will update this advisory when updates are available. If you wish to be notified when this advisory is updated, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

Publicly Disclosed	Exploited
No	No

Security Updates

To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle.

Product	Platform	Article	Download	Impact	Severity	Supersedence
Windows 10 Version 1903 for 32-bit Systems				Remote Code Execution	Critical
Windows 10 Version 1903 for ARM64-based Systems				Remote Code Execution	Critical
Windows 10 Version 1903 for x64-based Systems				Remote Code Execution	Critical
Windows 10 Version 1909 for 32-bit Systems				Remote Code Execution	Critical
Windows 10 Version 1909 for ARM64-based Systems				Remote Code Execution	Critical
Windows 10 Version 1909 for x64-based Systems				Remote Code Execution	Critical
Windows Server, version 1903 (Server Core installation)				Remote Code Execution	Critical
Windows Server, version 1909 (Server Core installation)				Remote Code Execution	Critical

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place:

Disable SMBv3 compression

You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Notes:

1. No reboot is needed after making the change.
2. This workaround does not prevent exploitation of SMB clients; please see item 2 under FAQ to protect clients.

You can disable the workaround with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

Note:

1. No reboot is needed after disabling the workaround.

FAQ

What steps can I take to protect my network?

1. Block TCP port 445 at the enterprise perimeter firewall
TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

2. Follow Microsoft guidelines to prevent SMB traffic leaving the corporate environment
Preventing SMB traffic from lateral connections and entering or leaving the network

Are older versions of Windows (other than what is listed in the Security Updates table) affected by this vulnerability?

No, the vulnerability exists in a new feature that was added to Windows 10 version 1903. Older versions of Windows do not support SMBv3.1.1 compression.

Acknowledgements

Microsoft Platform Security Assurance & Vulnerability Research

See acknowledgements for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

Version	Date	Description
1.0	03/10/2020	Information published.
1.1	03/11/2020	Advisory updated to add clarifying statements to the workaround and the FAQ.
2.0	03/12/2020	CVE-2020-0796 has been published to address this vulnerability. Please see CVE-2020-0796 (https://portal.msrc.microsoft.com/en.../CVE-2020-0796).

Source: https://portal.msrc.microsoft.com/en...sory/ADV200005

See also: https://portal.msrc.microsoft.com/en.../CVE-2020-0796

Tweet

— Twitter API (@user) View on Twitter

Posted By: Brink
10 Mar 2020