By The Claroty Research Team | Mar 11, 2020

The Claroty Research team has built a repository with tools (such as NSE script) to detect potentially vulnerable assets related to the new Windows SMBv3 Remote Code Execution (RCE) vulnerability (CVE-2020-0796). More diagnostic tools will be added to the repository soon. Stay tuned.

Activity Summary

On March 10, Microsoft accidentally released information about a new type of “wormable” Windows Server Message Block 3.0 (SMBv3) Remote Code Execution Scanner (RCE) vulnerability  (CVE-2020-0796) during its regular Patch Tuesday update. While the information was removed by Microsoft, another security vendor noticed the release and obtained information about the vulnerability before Microsoft removed it from its publication API. This created a significant public discussion about the vulnerability despite Microsoft’s best efforts to pull it back.

It is important to note that, especially since this was an accidental release, the situation is evolving and there is much unknown information. Claroty’s research team will continue to investigate this issue and provide additional detection and mitigation recommendations as needed.

About the Vulnerability

Based on available information, the vulnerability affects the SMBv3 (v3.1.1 and higher) protocol and, more specifically, the vulnerability resides in the compression mechanism of the protocol.

The vulnerability allows a “wormable” pre-auth RCE in both server and client attack scenarios. The most effective workaround published by Microsoft advises disabling the compression functionality of the SMBv3 protocol. However, this workaround doesn’t reduce the client attack scenario which requires the attacker to make the victim access a specific SMB share.

As of writing, no patch was provided by Microsoft and no public exploitation of the issue was detected.

Known Affected Products (as of March 10, 2020)

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows Server, version 1909 (Server Core installation)

Recommended Detection 

  • Check local machine for active SMB connection version (Windows 8 and up)
    • Powershell.exe -> Get-SMBConnection
      This only shows current open SMB connection
  • Nmap scan to check supported SMB protocol version
    nmap -p445 –script smb-protocols <Target Host/Subnet>  | grep -P ‘\d+\.\d+\.\d+\.\d+|^\|.\s+3.11’

Recommended Mitigation 

  • Block incoming SMB on host/network firewall (TCP port 445).
  • If possible, block internet/public-facing SMB connections. This mitigates the risk of a client-based attack against the SMBv3 compression.
  • Disable SMBv3 compression feature on server side (no reboot is needed).
    • Open Powershell.exe and type:
      Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force