Microsoft Guidance for Disabling SMBv3 Compression in Windows 10

Page 1 of 2 12 LastLast
    Microsoft Guidance for Disabling SMBv3 Compression in Windows 10

    Microsoft Guidance for Disabling SMBv3 Compression in Windows 10

    Security Advisory ADV200005 for Windows 10 version 1903 and 1909

    Last Updated: 13 Mar 2020 at 21:28

    UPDATE 3/12:

    Microsoft has released a new KB4551762 cumulative update below that includes a security update to the Microsoft Server Message Block 3.1.1 (SMBv3).

    KB4551762 CU Win 10 v1903 build 18362.720 and v1909 build 18363.720




    Important March 12, 2020 - Microsoft has released CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability to address this vulnerability. For more information about this issue, including download links for an available security update, please review CVE-2020-0796.

    Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

    To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

    We will update this advisory when updates are available. If you wish to be notified when this advisory is updated, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

    Publicly Disclosed Exploited
    No No

    Security Updates

    To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle.

    Product Platform Article Download Impact Severity Supersedence
    Windows 10 Version 1903 for 32-bit Systems Remote Code Execution Critical
    Windows 10 Version 1903 for ARM64-based Systems Remote Code Execution Critical
    Windows 10 Version 1903 for x64-based Systems Remote Code Execution Critical
    Windows 10 Version 1909 for 32-bit Systems Remote Code Execution Critical
    Windows 10 Version 1909 for ARM64-based Systems Remote Code Execution Critical
    Windows 10 Version 1909 for x64-based Systems Remote Code Execution Critical
    Windows Server, version 1903 (Server Core installation) Remote Code Execution Critical
    Windows Server, version 1909 (Server Core installation) Remote Code Execution Critical

    Mitigations

    Microsoft has not identified any mitigating factors for this vulnerability.

    Workarounds

    The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place:

    Disable SMBv3 compression

    You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

    Notes:
    1. No reboot is needed after making the change.
    2. This workaround does not prevent exploitation of SMB clients; please see item 2 under FAQ to protect clients.

    You can disable the workaround with the PowerShell command below.

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

    Note:
    1. No reboot is needed after disabling the workaround.

    FAQ

    What steps can I take to protect my network?

    1. Block TCP port 445 at the enterprise perimeter firewall
    TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

    2. Follow Microsoft guidelines to prevent SMB traffic leaving the corporate environment
    Preventing SMB traffic from lateral connections and entering or leaving the network

    Are older versions of Windows (other than what is listed in the Security Updates table) affected by this vulnerability?

    No, the vulnerability exists in a new feature that was added to Windows 10 version 1903. Older versions of Windows do not support SMBv3.1.1 compression.

    Acknowledgements

    Microsoft Platform Security Assurance & Vulnerability Research

    See acknowledgements for more information.

    Disclaimer

    The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

    Revisions

    Version Date Description
    1.0 03/10/2020 Information published.
    1.1 03/11/2020 Advisory updated to add clarifying statements to the workaround and the FAQ.
    2.0 03/12/2020 CVE-2020-0796 has been published to address this vulnerability. Please see CVE-2020-0796 (https://portal.msrc.microsoft.com/en.../CVE-2020-0796).

    Source: https://portal.msrc.microsoft.com/en...sory/ADV200005

    See also: https://portal.msrc.microsoft.com/en.../CVE-2020-0796


    Brink's Avatar Posted By: Brink
    10 Mar 2020

  1. Jacee's Avatar
    Posts : 1,591
    Win 10 home 20H2 19042.928
       #1

    Thanks for the information!
      My Computers

  2.   My Computers

  3. Brink's Avatar
    Posts : 56,421
    64-bit Windows 10 Pro for Workstations build 21359
    Thread Starter
       #3

    I don't know, but I don't see any mention of SMBv3 in that article.
      My Computers

  4. ThrashZone's Avatar
    Posts : 7,108
    3-Win-7Prox64 2-Win10Prox64
       #4

    Brink said:
    I don't know, but I don't see any mention of SMBv3 in that article.
    Hi,
    Well I'm not smart enough to know obviously so I hand it to you to figure out

    I just notice the whopping performance hit
      My Computers

  5. jimbo45's Avatar
    Posts : 10,491
    Windows / Linux : Arch Linux
       #5

    Hi folks

    Just wondering What these client devices specifically would be "worthy of attack" are.

    Most smart TV's as far as I know aren't Android based - a lot have their own proprietary OS in them so what would a potential Hacker do -- I don't do online banking or compose confidential documents on a Smart TV. !!!

    My NAS server has perfectly good security in it (not a Windows device) so is this really a genuine problem or just another "scare" tactic.

    I'm always glad when Ms or others can fix security problems -- nothing wrong in decent security but I suspect this type of thing is probably a bit "over the top" for home computers running small networks -- a load of those are still probably using SMB1 !!!!!.

    BTW those that use KODI on remote devices -- latest version (LEIA) now supports SMB3 etc so if you use KODI on an amazon firestick etc change the protocol to SMBV3 -- earlier releases didn't offer you the choice.

    Cheers
    jimbo
      My Computer

  6. Cliff S's Avatar
    Posts : 25,565
    Win10 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
       #6

    No need for regular Windows 10 users to do anything:

    Notes:
    No reboot is needed after making the change.
    This workaround does not prevent exploitation of SMB clients.
    . To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
    Just sayin'
    Before everyone gets the willies
      My Computers


  7. Posts : 770
    Windows 10
       #7
      My Computer

  8. jimbo45's Avatar
    Posts : 10,491
    Windows / Linux : Arch Linux
       #8

    Cliff S said:
    No need for regular Windows 10 users to do anything:

    Just sayin'
    Before everyone gets the willies

    Hi there
    @Cliff S

    Nobody has answered my question --what sort of SMBV3 devices are likely to get attacked on Home networks -- especially as most of these things will be ROKU/KODI/SKY Q (UK and ROI - Eire) boxes) Amazon fire stick boxes, techmate satellite receiver boxes, smart TV's etc.

    Please tell me how these devices could be used for "Hacking" home users networks -- can't see many people doing EXCEL or ONLINE banking on these devices !!!!!

    I'm 100% for better security -- and glad W10 / Ms is rolling out better security and fixes where appropriate but some of this stuff is just BONKERS for home and small LANs -- big corporate customers --totally different story of course.

    Remember a previous US president - probably wiser than the current incumbent --however that's for US electors so not my business -- making a brilliant saying -- "It's not FEAR but the FEAR of FEAR itself" --or something similar --very true.

    Cheers
    jimbo
      My Computer

  9. Cliff S's Avatar
    Posts : 25,565
    Win10 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
       #9

    jimbo45 said:
    Hi there
    @Cliff S

    Nobody has answered my question --what sort of SMBV3 devices are likely to get attacked on Home networks -- especially as most of these things will be ROKU/KODI/SKY Q (UK and ROI - Eire) boxes) Amazon fire stick boxes, techmate satellite receiver boxes, smart TV's etc.

    Please tell me how these devices could be used for "Hacking" home users networks -- can't see many people doing EXCEL or ONLINE banking on these devices !!!!!

    I'm 100% for better security -- and glad W10 / Ms is rolling out better security and fixes where appropriate but some of this stuff is just BONKERS for home and small LANs -- big corporate customers --totally different story of course.

    Remember a previous US president - probably wiser than the current incumbent --however that's for US electors so not my business -- making a brilliant saying -- "It's not FEAR but the FEAR of FEAR itself" --or something similar --very true.

    Cheers
    jimbo
    I really don't know jimbo, but maybe this might help answer your question?

    https://docs.microsoft.com/en-us/win...mb-file-server
      My Computers


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 15:35.
Find Us




Windows 10 Forums