CVE-2020-0796: New vulnerability in SMB protocol

News has emerged of the CVE-2020-0796 RCE vulnerability in Windows 10 and Windows Server operating systems, affecting the Microsoft Server Message Block 3.1.1 (SMBv3) protocol. According to Microsoft, an attacker can exploit this vulnerability to execute arbitrary code on the side of the SMB server or SMB client. To attack the server, one can simply send a specially created package to it. As for the client, attackers have to configure a malicious SMBv3 server and persuade a user to connect to it.

Cybersecurity experts believe the vulnerability can be used to launch a worm similar to WannaCry. Microsoft calls the vulnerability critical, so you should close it as soon as possible.

Who is in danger?

SMB is a network protocol for remote access to files, printers, and other network resources. It is used to implement Microsoft Windows Network and File and Printer Sharing features. If your company uses these functions, you have reason to worry.

Microsoft Server Message Block 3.1.1 is a relatively recent protocol, used only in new operating systems:

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

The vulnerability does not affect Windows 7, 8, 8.1, or older versions. However, most modern computers with automatic installation of updates run Windows 10, so it is likely that a lot of computers, both home and corporate, are vulnerable.

Are attackers exploiting CVE-2020-0796?

According to Microsoft, the CVE-2020-0796 vulnerability has not yet been used for attacks — at least, no one has yet seen such attacks. But the problem is that no patch exists yet for CVE-2020-0796. Meanwhile, information about the vulnerability has been in the public domain since March 10, so exploits can appear any minute, if they haven’t already.

What should you do?

With no patch available yet, you must close the vulnerability, and that requires workarounds. Microsoft offers the following to block the exploitation of this vulnerability.

For SMB servers:

  • You can block the exploitation of a vulnerability using a PowerShell command:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 –Force

For SMB clients:

  • As with WannaCry, Microsoft suggests blocking TCP port 445 at the enterprise perimeter firewall.

Also, be sure to use a reliable security solution such as Kaspersky Endpoint Security for Business. Among other technologies, it employs an exploit prevention subsystem that protects endpoints — even from unknown vulnerabilities.

Meanwhile, everyone is awaiting patches from Microsoft. According to all forecasts, the company will release them quite soon.