Microsoft SMBGhost SMBv3 Remote Code execution Vulnerability [CVE-2020-0796]

CVE number – CVE2020-0796

Update 13-03-2020 – A fix has now been issued for this by Microsoft. Details here.

Microsoft has released details of a vulnerability, known as SMBGhost (also known as Bluesday, CoronaBlue, DeepBlue 3, NexternalBlue, or Redmond Drift), this vulnerability affects Server Message Block version 3.1.1 (SMBv3) protocol.

Microsoft is aware of the execution vulnerability that affects Microsoft Server Message Block 3.1.1 (SMBv3) protocol. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

Workaround

The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place:

Disable SMBv3 compression

You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Notes:

  1. No reboot is needed after making the change.
  2. This workaround does not prevent exploitation of SMB clients.

You can disable the workaround with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

Note:

  1. No reboot is needed after disabling the workaround.

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: