Microsoft has published an advisory containing info about a new critical vulnerability (CVE-2020-0796) in the Microsoft Server Message Block (SMB) protocol which can be used to remotely execute code on the target SMB Server or SMB Client.
According to Microsoft, the vulnerability exists due to the way the SMBv3 protocol handles certain requests.
“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it,” the advisory reads.
The CVE-2020-0796 flaw affects the following products:
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
While the tech giant did not share info on when the patch for CVE-2020-0796 will be available, the company provided a workaround to protect servers against exploitation attempts.
Users can disable SMBv3 compressionon SMBv3 servers with this PowerShell command (no reboot required, does not prevent the exploitation of SMB clients):
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Users can disable the workaround using the following PowerShell command:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force