By Keren Pollack, on March 12th, 2020

Critical remote code execution vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3) was disclosed by Microsoft. This vulnerability was reported as wormable, which makes it even more disturbing. With Wannacry still fresh in our memories, we have good reasons to be concerned with this wormable SMBv3 vulnerability.

 

This vulnerability’s details were accidentally published in another vendor’s blog. Microsoft published security advisory ADV200005 soon after the vulnerability was disclosed. As to this moment, there is no patch published for this vulnerability.

 

The affected operating systems:

  1. Windows 10 Version 1903 for 32-bit Systems
  2. Windows 10 Version 1903 for ARM64-based Systems
  3. Windows 10 Version 1903 for x64-based Systems
  4. Windows 10 Version 1909 for 32-bit Systems
  5. Windows 10 Version 1909 for ARM64-based Systems
  6. Windows 10 Version 1909 for x64-based Systems
  7. Windows Server, version 1903 (Server Core installation)
  8. Windows Server, version 1909 (Server Core installation)

 

The vulnerability is in the SMBn3 way of handling connections that use compression. It may eventually allow an unauthenticated attacker to execute arbitrary code on a vulnerable system. Furthermore, by connecting to a vulnerable machine, or by causing a vulnerable Windows system to connect to an SMBv3 server, the remote attacker will be able to execute arbitrary code with SYSTEM privileges.

 

Microsoft’s suggested solution:

As there is no patch available at this moment, Microsoft suggests workarounds:

  1. Disable compression to block the unauthenticated attacker from exploiting this SMBv3 vulnerability using the following PowerShell command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

 

2. Block outbound SMB connections (TCP port 445 for SMBv3) from the local network to the WAN. Ensure that internet SMB connections are not allowed to connect to the enterprise LAN.

 

Applying the workarounds on your system using CHS:

After you’ve decided your course of action, implementing it might a painful issue- You’ll need to perform impact analysis before you’ll implement the changes in your production. Performing lab testing to understand the impact of your actions on the performance of your production takes a lot of time and effort which you might not have available. Besides, until it is done, your system remains vulnerable.

 

CHS solution:

CHS learning abilities will eliminate your need to perform any lab testing, allowing you to implement your new policy directly on your production right away.