Patch IMMEDIATELY – Microsoft SMBv3 Compression - Wormable RCE Vulnerability - CVE-2020-0796

March 13, 2020

Summary

*** Patch Windows 10 and affected Windows Server 2019 systems IMMEDIATELY, even where there is a potential business impact (unscheduled maintenance). Notify security@berkeley.edu if you anticipate delays in patching. ***

A patch is available (KB4551762) [1] for a remote code execution vulnerability for how Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.  [2, 3]  

 

Impact

An attacker who successfully exploits this vulnerability can execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.[1]
Microsoft has advised that this vulnerability is “wormable”, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. [4]

Vulnerable

  • Microsoft Windows 10 version 1903 
  • Microsoft Windows 10 version 1909
  • Microsoft Windows Server 2019 version 1903
  • Microsoft Windows Server 2019 version 1909

Recommendations

  • Patch vulnerable systems IMMEDIATELY.

  • Ensure your system is receiving automatic updates - if not apply the patch manually. 

  • Prioritize patching systems that connect from off-campus through VPNs or proxies. 

  • If immediate patching is not an option and SMBv3 compression is not necessary, disable SMBv3 compression [4], or restrict access to the host by creating a firewall rule to block SMB traffic.

References