Update: Patch released | Microsoft Windows SMBv3.0 Service Remote Code Execution Vulnerability (CVE-2020-0796) Notice
HTTPS: // www.freebuf.com/articles/system/230288.html today just patched ..
Document information
Numbering | QiAnXinTI-SV-2020-0008 |
---|---|
Keyword | SMB CVE-2020-0796 |
Release date | 2020 March 11 |
Updated | 2020 March 12 |
TLP | WHITE |
Analysis Team | Cian letter threat intelligence center |
Announcement background
2020 March 11, a foreign security company released a review of recent Microsoft security patches related to vulnerabilities, which talked about a threat level is marked as Critical of SMB Service Remote Code Execution Vulnerability (CVE-2020-0796), An attacker could remotely exploit this vulnerability without user verification by sending a special data structure leads to a malicious execution of malicious code on the target system in order to gain full control of the machine. This vulnerability mainly affects SMBv3.0 support equipment, the possibility of the presence of worms in theory.
Since the information has spread loopholes, there are signs that hacker groups are actively studying details of the vulnerability exploit attempts, pose a potential security threat. Cian threat intelligence information center raindrop red team has confirmed there are loopholes, 2020 March 12, Microsoft released a security patch corresponding strongly recommend that users install the patch immediately to avoid risk from this vulnerability caused.
Vulnerability Summary
Vulnerability name | Microsoft Windows SMBv3.0 Service Remote Code Execution Vulnerability |
---|---|
Vulnerability ID | CVE-2020-0796 |
Threat Type | Remote Code Execution |
Threat Level | serious |
Use scene | An attacker can trigger the vulnerability by sending a specially crafted packet, without user verification could lead to control of the target system. |
Affected systems and application versions | Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for ARM64-based Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows Server, version 1903 (Server Core installation) Windows Server, version 1909 (Server Core installation) |
Vulnerability Description
Vulnerability exists in the Windows SMBv3.0 (file sharing and print services), the current technical details to hold off publication for the exploitation of a vulnerability without user verification, by constructing a malicious request to trigger the execution of arbitrary code, the system from unauthorized control.
Assess the impact surface
This vulnerability mainly affects SMBv3.0 protocol, the protocol currently supported devices include Windows 8, Windows 8.1, Windows 10, Windows Server 2012 and Windows Server 2016, but by the announcement from Microsoft's point of view the main objective is to influence Win10 systems, taking into account magnitude related equipment, potentially a greater threat.
Advice on Disposal
Repair method
1. Microsoft has released a security patch for this vulnerability, visit the following links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
2. If you temporarily unable to install the patch, Microsoft's current recommendations to address the following interim solution:
Execute the following command
Set-ItemProperty-Path"HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"DisableCompression -Type DWORD -Value 1 -Force
Disabling SMB 3.0 in compression, whether to use requires a combination of their business judgment.
Reference material
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
timeline
time | event |
---|---|
2020 March 11 | Cian publish an initial report on the letter No patch vulnerabilities |
2020 March 12 | Cian letter released updated information about the vulnerability patch updates |
* Author: Cian letter of threat intelligence centers, please indicate from FreeBuf.COM