News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • CVE-2020-0796, the SMBv3 security hole, doesn’t pose an immediate threat

    Home Forums AskWoody blog CVE-2020-0796, the SMBv3 security hole, doesn’t pose an immediate threat

    Viewing 5 reply threads
    • Author
      • #2190525 Reply
        Da Boss

        I’ve been sitting on pins and needles wondering when an in-the-wild exploit for the just-patched SMBv3 security hole might appear. Looks like it’s muc
        [See the full post at: CVE-2020-0796, the SMBv3 security hole, doesn’t pose an immediate threat]

        4 users thanked author for this post.
      • #2190538 Reply
        AskWoody Plus

        No updating this weekend after all then!

        2 users thanked author for this post.
      • #2190545 Reply
        Mr. Natural
        AskWoody Plus

        Shame on all of us in the corporate world for trying to stay up to date.

        Yes I am pushing the new patch…because I need to. OK for now.

        Red Ruffnsore

      • #2190544 Reply

        If you run an SMB server, then you don’t need to patch, you just need to disable compression.

        KASLR makes it much harder for unsophisticated attackers to execute code, but a denial of service exploit causing a computer to crash would not need to defeat KASLR and could be accomplished by anyone.

        KASLR is not perfect protection: Every time you see an “Information Disclosure Vulnerability” listed as “2 – Exploitation Less Likely” in a Microsoft Security Guidance (there are TONS of these fixed every security update), that is potentially information that can be used to defeat KASLR.

        If you read Google Project Zero, they make bypassing KASLR look easy, all the time. It may deter script kiddies, but it’s not gonna deter serious adversaries.

        Luckily you don’t need to update to mitigate this. Disable compression on any SMB servers, if you have any 1903 or 1909 servers. If you have vulnerable servers, you should consider whether, in the future, you would be better served with an OS that is older, more stable, and supported for longer (Server 2019 is based on 1809 and not vulnerable).

        You shouldn’t be hesitant to disable compression. After all, compression is a new feature only available since 2019. Disabling compression is more like uninstalling a bad feature patch than installing a new security patch.

        This should be much less of a problem on clients, because your users should be smart enough to not connect to random SMB shares.

        1 user thanked author for this post.
      • #2190546 Reply

        Kevin seems to be downplaying this solely from the Server side which may be the case.

        However, according to the CVE:

        “To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.”

        While the “client” mentioned could only be a W10 PC at 1903 or 1909 that is unpatched, it would certainly suggest a much larger target group than those Kevin alludes to.

        1 user thanked author for this post.
      • #2190639 Reply
        AskWoody Plus

        Got this mail from Microsoft this morning :

        The following CVE has undergone a minor revision increment:

        * CVE-2020-0796

        Revision Information:

        – CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability

        – Reason for Revision: The following revisions have been made: 1. Added an FAQ to
        clarify that only a Server Core installation is available for Windows Server,
        version 1903 and Windows Server, version 1909. 2. In the Workarounds, added Note
        number 3 to state that SMB Compression is not yet used by Windows or Windows Server,
        and disabling SMB Compression has no negative performance impact. These are
        informational changes only.
        – Originally posted: March 12, 2020
        – Updated: March 13, 2020
        – Aggregate CVE Severity Rating: Critical
        – Version: 1.1

    Viewing 5 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: CVE-2020-0796, the SMBv3 security hole, doesn’t pose an immediate threat

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.