Hi, yesterday, Microsoft has released a patch for a vulnerability in the SMBv31.1 (CERTFR-2020-ALE-008 / CVE-2020-0796) protocol that accidentally leaked online earlier this week during the March 2020 Patch Tuesday preamble. Updates a Microsoft Server Message Block 3.1.1 protocol issue that provides shared access to files and printers. The KB KB455176 is an update for Windows 10, versions 1903 and 1909, and Windows Server 2019, versions 1903 and 1909.
Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
Telltale research team shared a quick DoS PoC (video). The SMB bug appears trivial to identify, even without the presence of a patch to analyze.
Infected system:
- Windows 10 Version 1903 for 32-bit Systems,
- Windows 10 Version 1903 for ARM64-based Systems,
- Windows 10 Version 1903 for x64-based Systems,
- Windows 10 Version 1909 for 32-bit Systems,
- Windows 10 Version 1909 for ARM64-based Systems,
- Windows 10 Version 1909 for x64-based Systems,
- Windows Server, version 1903 (Server Core installation),
- Windows Server, version 1909 (Server Core installation).
How to detect?
############### # Rules by Claroty # This rules will detect SMB compressed communication by the SMB protocol identifier. # The use of the offset and depth parameter is designed to prevent false positives and to allow the NetBios Layer ############### alert tcp any any -> any 445 (msg:"Claroty Signature: SMBv3 Used with compression - Client to server"; content:"|fc 53 4d 42|"; offset: 0; depth: 10; sid:1000001; rev:1; reference:url,//blog.claroty.com/advisory-new-wormable-vulnerability-in-microsoft-smbv3;) alert tcp any 445 -> any any (msg:"Claroty Signature: SMBv3 Used with compression - Server to client"; content:"|fc 53 4d 42|"; offset: 0; depth: 10; sid:1000002; rev:1; reference:url,//blog.claroty.com/advisory-new-wormable-vulnerability-in-microsoft-smbv3;)
Block TCP port 445 at the enterprise perimeter firewall:
TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.
The update fixes CVE-2020-0796 (SMBGhost), a vulnerability in Server Message Block, a protocol for sharing files, printers, and other resources on local networks and the Internet.
Workaround: Disable SMBv3 compression: You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Office 365 MitM attack and Varonis protection: Scenario Play
Security and Data Governance with Varonis: Blog post
Hyper-V 2016 New Features – Network (Part 1): Guide.
Hyper-V upgrade from Windows 2012 R2 to 2016: Guide.
If you need to disable UAC Server on Windows Server 2016 Script Guide.
Step by Step Guide Veeam Backup for Office365 v2 Installation – Step by Step Guide!
MUG – Microsoft User Group – First event in Monaco! Join us!.
