[Name] Vulnerability
SMB Remote Code Execution Vulnerability (CVE-2020-0796), security researchers have named "SMBGhost".
[Vulnerability Description]
Microsoft released March 11 March a routine update, which did not disclose the number of high-risk vulnerabilities CVE-2020-0796 data, but the vulnerability was the most spectacular. Late the next day (March 12 2020) Microsoft officially released high-risk vulnerabilities CVE-2020-0796 patch.
When SMB 3.1.1 protocol processing compressed message, for which the data without security checks, direct use can cause memory corruption vulnerability that could be exploited by attackers to remotely execute arbitrary code.
An attacker who exploited the vulnerability without permission to remote code execution on the target system simply by hackers can be switched online invasion.
The consequences of this vulnerability is very close to the Eternal Blue Series, are using the Windows SMB vulnerabilities a remote attacker to obtain the highest authority system, WannaCry extortion worm is to use the Eternal Blue Series exploits tools made catastrophe. In addition to direct attack resulted in RCE SMB server, but the vulnerability that the attack was the highlight of the SMB client, an attacker can build specific web pages, archive and share a variety of ways catalog, OFFICE documents, and trigger the vulnerability to attack.
The vulnerability does not appear in the list of Microsoft's regular update in March, some foreign security company accidentally released information concerning the existence of the vulnerability, and then lead to industry concerns.
[Version] Vulnerability
Vulnerability does not affect win7, vulnerability of each 32 after Windows 10 1903, 64-bit version of Windows, including Home Edition, Professional Edition, Enterprise Edition, Education Edition.
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server, Version 1903 (Server Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows Server, Version 1909 (Server Core installation)
It is the current mainstream operating system version, in personal, corporate environment widely used.
[Type] Vulnerability
Remote Code Execution
[Level] Vulnerability
High-risk
[No.] CVE-2020-0796
[Impact] vulnerability
According to data of T-Sec network asset risk monitoring system (Tencent Yu know) provided that the total volume SMB service worldwide loopholes that may exist about 10 million units, directly exposed to the public, may be the first round of attacks target vulnerabilities.
For government agencies, enterprises and institutions in the use of all network nodes after the end of 10 1903 Windows, are potential targets, once hackers to sneak into, you can use targeted vulnerability attack tools, including proliferation network, integrated risk as much as the eternal blue , WannaCry extortion worm is to use the eternal blue series exploits tools made catastrophe.
【solution】
Business users:
1, recommended the use of T-Sec network asset risk detection system (Tencent Yu know) whether a comprehensive test enterprise network assets to security vulnerabilities.
T-Sec network asset risk detection system (Tencent Royal known) is an automatic detection of enterprise network assets and identify its risk products. Can be all-round monitoring the risks of assets enterprise websites, cloud hosting, applets, contains weak password detection, Web vulnerability scanning, detection of offending sensitive content, the site tamper detection, risk assets linked to many types of horses mining detection.
Business users can scan the following QR code, free use of T-Sec network asset risk detection system (yuzhi.qq.com).
2, T-Sec terminal security management system (Tencent Imperial points) has taken the lead upgraded, can block attacks using this vulnerability:
Enterprise network can also be used T-Sec terminal security management system (Royal Tencent point) of the whole network vulnerability scanning repair, unified whole network scans, install patches KB4551762.
Deployment of T-Sec terminal security management system (Tencent Imperial Point) virus Trojan invasion interception, for more information refer to the link: https: //s.tencent.com/product/yd/index.html.
3, recommended business users to deploy T-Sec advanced threat detection system (Tencent Royal circles) to detect hacker attacks.
T-Sec advanced threat detection system (Tencent royal circles), is based Tencent security capabilities, relying on Tencent cloud and massive data terminal, developed a unique threat intelligence and malware detection model system that can promptly and effectively detect hackers on the corporate network various invasion infiltration attack risk. Reference link: https: //cloud.tencent.com/product/nta
4, Tencent launched the SMB security remote code execution vulnerability scanning tool, the administrator can use this tool to remotely detect the entire network terminals for security vulnerabilities.
To avoid being abused by an attacker to obtain SMB remote code vulnerability scanning tools have to apply, the application process Reference:
https://pc1.gtimg.com/softmgr/files/20200796.docx
5, business users can also use Windows Update to install the patch, set up in Windows, click "updates and security."
personal user
1, individual users can also directly run Windows update, install all the patches.
2, individual users can also manually modify the registry to prevent hackers remote attack:
Run regedit.exe, open the Registry Editor, create a DWORD named DisableCompression in HKLM \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters, a value of 1, prohibits the SMB compression.
【timeline】
1, 2020 March 11, a foreign manufacturers release regular updates to disclose suspected SMB serious flaws;
2, Microsoft released a temporary mitigation programs: https: //portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005
3, 2020 March 11, Tencent micro-computer housekeeper official release "CVE-2020-0796: Microsoft's SMB protocol suspected 'worm-class' loophole preliminary notice";
4, 2020 at 23:00 on March 12, the official release of Microsoft security bulletin CVE-2020-0796;
5, 2020 March 12, Tencent released security remote nondestructive testing tool.
Reference links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
