Security Alert: Microsoft SMBv3 Remote Code Vulnerability
Date:
2020-03-13 13:33:00
Status:
Closed
Brief Description:
Microsoft disclosed vulnerability: CVE-2020-0796 Windows SMBv3 Client/Server Remote Code Execution Vulnerability. A remote attacker could exploit this vulnerability to execute remote code on a vulnerable server or client. Mitigating updates are available.
Current Status:
Updates are available. ITSO recommends immediate patching of all affected systems.
Services Affected:
Not Applicable
Full Description:
Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.
To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
The IT Security Office recommend immediate patching of all vulnerable systems. In the event that immediate patching is not possible, there is a workaround via the Windows' System Registry to disable SMBv3 compression. This workaround helps mitigate a portion of the vulnerability, but does NOT protect SMB clients, only the SMB server. The steps to implement this workaround are outlined in the external links below.
For customers of CIT's Managed Server Service - This vulnerability does not affect systems under the service. No systems within the Manged Server Service use the Windows Server versions that are vulnerable (1903 and 1909 Server Core installation) nor will they be updated to those versions in the future.
For customers of CIT's Certified Desktop Service - The update is currently available for install. The deadline to install the update is Tueday March 17, 2020 at 4:00PM.
External Links to more information:
Microsoft Security Advisory - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
Microsoft Security Update Guide - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
The IT Security Office recommend immediate patching of all vulnerable systems. In the event that immediate patching is not possible, there is a workaround via the Windows' System Registry to disable SMBv3 compression. This workaround helps mitigate a portion of the vulnerability, but does NOT protect SMB clients, only the SMB server. The steps to implement this workaround are outlined in the external links below.
For customers of CIT's Managed Server Service - This vulnerability does not affect systems under the service. No systems within the Manged Server Service use the Windows Server versions that are vulnerable (1903 and 1909 Server Core installation) nor will they be updated to those versions in the future.
For customers of CIT's Certified Desktop Service - The update is currently available for install. The deadline to install the update is Tueday March 17, 2020 at 4:00PM.
External Links to more information:
Microsoft Security Advisory - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
Microsoft Security Update Guide - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796