CVE-2020-0796: Vulnerability in Windows 10 and Windows Server (patch available!)

By 16 March 2020 November 16th, 2020 Blog, SOC
windows

CVE-2020-0796: Vulnerability in Windows 10 and Windows Server with potential large impact (patch available!)

Summary

On 12 March 2020, Microsoft issued patch KB4551762 [1] to resolve CVE-2020-0796. This vulnerability affects recent Windows 10 and Windows Server versions. If an attacker manages to take advantage of this vulnerability successfully, then they can run a malicious code remotely on these systems.

This patch was issued beyond the regular “patch Tuesday”, and the patching of vulnerable systems is, therefore, deemed to be very urgent. Make sure that you patch your vulnerable systems as soon as possible, or otherwise protect them if patching is not possible!

Introduction

On 10 March 2020, Microsoft revealed a vulnerability in the SMBv3.1.1 protocol [6]. At the time of publication, a patch was not available yet. A few days later, on 12 March, patch KB4551762 [1] was published for this problem. In general, Microsoft publishes updates for Windows monthly on “patch Tuesday”, but due to the considerable urgency of this problem, this patch was made available outside the regular process.

In this blog post we outline what SMB is and what the vulnerability in SMBv3.1.1 entails. In addition, we indicate why this vulnerability brings about a big risk and why fast patching is, therefore, very important. Finally, we indicate what you can do now to reduce the risks for your network.

What is SMB?

SMB [7] is the protocol that is used by Windows systems to make files and directories available to other systems on the local network. Shared directories are often referred to as “shares” or “Windows shares” and are often available in business networks as separate “drives” on workstations with an individual letter as indication. The hard disk is often referred to with the letter “C”; network drives often have letters that are a bit further on in the alphabet.

In practice, almost all networks use the SMB protocol to share files between workstations via file servers. Support for this protocol is, therefore, by default included in all modern Windows versions.

Potential risk

In version 3.1.1 of the SMB protocol, recent versions of Windows also support compression. A vulnerability has now been detected in the implementation of this feature (CVE-2020-0796) with which an attacker can, theoretically, take over vulnerable systems via the network. Successful authentication on a file server is not required to abuse this vulnerability.

What makes this vulnerability extra dangerous is that both clients (workstations) and servers are vulnerable. Hence, an attacker could potentially develop malware that distributes itself automatically via this vulnerability from the client to the server and vice versa over an entire network. This kind of scenario reminds of the worldwide WannaCry attack from May 2017. WannaCry used an exploit for CVE-2017-0144, also a vulnerability in SMB with which the ransomware could automatically distribute itself via the network.

The patch for this problem became available on 12 March, and it is therefore highly recommended  to install this patch on your systems as soon as possible.

Are my systems vulnerable?

The vulnerability CVE-2020-0796 is only present in systems that support SMBv3.1.1 compression. This feature is only present in relatively recent Windows 10 and Windows Server versions (from version 1903). Also see the list of versions with the thereto-pertaining available updates [3] and the FAQ of Microsoft itself [4].

Older Windows versions should not be vulnerable to this specific problem. The recommendation to install security updates as soon as possible is, of course, also still applicable to these kinds of systems.

What can you do to prevent or limit potential damages?

If you administer systems that are vulnerable to CVE-2020-0796, then you can best install patch KB4551762 [1] as soon as possible. In many instances, this can simply be done via Windows Update. If this is currently not possible on servers, for whatever reason, then you can consider the workaround described by Microsoft for these systems: the deactivation of SMBv3 compression [2]. Please note: the vulnerability affects both servers and clients, but a workaround is not available for clients!

In addition to the protection of your systems against abuse of CVE-2020-0796, it is also recommended to block SMB traffic on the periphery of your network (for instance in your firewalls) and to reduce so-called “lateral connections” as much as possible. Microsoft also has extensive documentation available about this [5].

Tesorion actively researches attacks on CVE-2020-0796. Our customers are protected in various ways:

– The honeypot in Tesorion Immunity detects attacks that use CVE-2020-0796.

– At SOC customers of Tesorion, potential attacks on CVE-2020-0796 are detected via our network sensors.

Sources:

[1]: https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762
[2]: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0796#ID0EUGAC
[3]: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0796#ID0EGB
[4]: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0796#ID0EKIAC
[5]: https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections
[6]: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200005
[7]: https://en.wikipedia.org/wiki/Server_Message_Block