SUBJECT:
A Vulnerability in Microsoft Windows SMB Server Could Allow for Remote Code Execution (CVE-2020-0796)
OVERVIEW:
A vulnerability has been discovered in Microsoft Windows SMB Server that could allow for remote code execution. Microsoft Server Message Block (SMB) is a network file sharing protocol that allows users or applications to request files and services over the network. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the account running the SMB server and client processes. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
THREAT INTELLIGENCE:
There are no reports of this vulnerability being exploited in the wild.
SYSTEMS AFFECTED:
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
RISK:
Government:
- Large and medium government entities: High
- Small government entities: Medium
Businesses:
- Large and medium business entities: High
- Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY:
A vulnerability has been discovered in Microsoft Windows SMB Server that could allow for remote code execution. This vulnerability is due to an error in handling maliciously crafted compressed data packets within version 3.1.1 of Server Message Blocks. To exploit this vulnerability, an attacker can send specially crafted compressed data packets to a target Microsoft Server Message Block 3.0 (SMBv3) server. Clients who connects to the malicious SMB server would then also be impacted. Microsoft Server Message Block (SMB) is a network file sharing protocol that allows users or applications to request files and services over the network. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the account running the SMB server and client processes. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Consider applying the workarounds provided by Microsoft until patches are released; The workaround does not mitigate attacks targetting SMB clients.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit websites or follow links provided by unknown or untrusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.
REFERENCES:
Microsoft:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
Tenable:
https://www.tenable.com/blog/cve-2020-0796-wormable-remote-code-execution-vulnerability-in-microsoft-server-message-block
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796
