Cybersecurity Threat Intelligence

Cybersecurity Announcement: Microsoft remote code execution vulnerability in SMBv3 (CVE- 2020-0796)

Posted: 2020-11-19 16:38:07   Expiration: 2020-11-26 16:38:07

Disclaimer: This news item was originally posted on 2020-11-19 16:38:07. Its content may no longer be timely or accurate.

Microsoft released information regarding a security vulnerability for a ‘wormable’ remote code execution exploit found in SMBv3 that was not disclosed as part of their March 10th patch Tuesday (CVE- 2020-0796).

Action to Consider:

Microsoft has not yet released a patch to address the vulnerability. Currently there are 3 Microsoft recommended mitigations and work arounds. Further details included in the reference links section.

  1. Block TCP port 445 at the enterprise perimeter firewall (Already blocked at the campus border – https://kb.wisc.edu/16575)
  2. Follow Microsoft guidelines to prevent SMB traffic leaving the environment
  3. Disable SMBv3 compression

 Event Impact/Details:
The Buffer Overflow vulnerability could allow an unauthenticated attacker to send specifically crafted SMBv3 compressed data packets, which if successful, could allow an attacker to take full control of affected systems, execute arbitrary code, and due to the wormable nature, move from system to system.

There are no documented exploitation events in the wild. Additionally, port 445 is blocked at the border for campus devices by default. As a result, campus risk is low but exploitation of the vulnerability could be used for lateral movement if a device utilizing SMBv3 was compromised through an alternative method.

Versions affected:
Windows 10 Version 1903
Windows Server Version 1009 (Server Core installation)
Windows 10 Version 1909
Windows Server Version 1909 (Server Core installation)

It is possible Windows 8 and Windows Server 2012 are also vulnerable since they run SMBv3, but current information cannot confirm the accuracy of that statement. The Cybersecurity team would advise reviewing remediation strategies as a precautionary measure where SMBv3 is enabled.


Reference/KBs:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections
https://www.bleepingcomputer.com/news/security/microsoft-leaks-info-on-wormable-windows-smbv3-cve-2020-0796-flaw/
https://www.zdnet.com/article/details-about-new-smb-wormable-bug-leak-in-microsoft-patch-tuesday-snafu/


-- IT Security Vulnerability Management: Hui-Chun Kuo