Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Remote Code Execution Vulnerability in Microsoft Server Message Block SMBv3
Image
Gepubliceerd : 11/03/2020
Reference:
Advisory #2020-007
Version:
1.1
Affected software:
Microsoft SMBv3 Server or SMBv3 Client
Type:
Remote Code Execution (RCE), Wormable
CVE/CVSS:
CVE-2020-0796
Sources
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762
https://twitter.com/msftsecresponse/status/1237515046390882304?s=20
https://fr.tenable.com/blog/cve-2020-0796-wormable-remote-code-execution-vulnerability-in-microsoft-server-message-block?tns_redirect=true
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0796
https://powershellexplained.com/2020-03-10-Powershell-disable-smb3-compression/
Risks
By connecting to a vulnerable Windows machine using SMBv3, or by causing a vulnerable Windows system to initiate a client connection to a SMBv3 server, a remote, unauthenticated attacker is able to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Description
Microsoft Server Message Block 3.1.1 (SMBv3) contains a vulnerability, dubbed SMBGhost or EternalDarkness, in the way that it handles connections that use compression, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. It has been reported that this vulnerability is "wormable."
Successful exploitation of the vulnerability would grant the attacker arbitrary code execution in both SMB Server and SMB Client.
UPDATE: On March 12th, Microsoft has released a patch, named KB4551762, to mitigate this vulnerability. A workaround is available if you cannot install the patch immediately.
UPDATE: On March 31th, a PoC was released by researchers García Gutiérrez (@danigargu) and Manuel Blanco Parajón (@dialluvioso_), available here : https://github.com/danigargu/CVE-2020-0796
Workarounds
Disable SMBv3 Compression
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Notes:
- No reboot is needed after making the change.
- This workaround does not prevent exploitation of SMB clients.
You can implement the workaround with the PowerShell command below:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force
Block inbound and outbound SMB
Consider blocking outbound SMB connections (TCP port 445 for SMBv3) from the local network to the WAN. Also ensure that SMB connections from the internet are not allowed to connect inbound to an enterprise LAN.
Recommended Actions
Microsoft released an advisory for this vulnerability. CERT.be recommends applying the patch as soon as possible!
If you cannot patch immediately, please apply the workaround explained above. The workarounds are also further explained on this blog too.