|CVE-2020-0796||Windows SMBv3 Client/Server Remote Code Execution Vulnerability||Windows 10||Critical||13-03-2020|
Brief overview of the risk:
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
Detailed Information on the risk:
SMBGhost is an integer overflow vulnerability in the Windows 10 SMB driver srv2.sys (in server) and mrxsmb.sys (in client). The vulnerability occurs while handling the SMB2_COMPRESSION_TRANSFORM_HEADER by Srv2DecompressData() function which allows allocation of buffers of incorrect size leading to buffer overflows. This occurs only when the OriginalCompressedSegmentSize and offset/length fields are fed with large values which when added together overflows the DWORD allocation size and resulting in a small destination buffer for decompressed data thus causing Out-of-Bounds write. The vulnerable code exists in both SMB client and SMB server. We have published a detailed analysis of the vulnerability along with mitigation techniques.
The patch is available for this vulnerability. Update your OS to install the security patch. If you are unable to install the updates for any reason, you can disable compression to block adversaries from attacking your SMBv3.1.1 server with the powershell command below:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
K7 Security products actively detect attempts to exploit the SMBGhost vulnerability (CVE-2020-0796) under IDS (Rule:intrusion attack – id:000200E8). Further information on this vulnerability is available at : CVE-2020-0796
Affected SoftwareWindows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server version 1903 (Server Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows Server version 1909 (Server Core installation)