• CVE-2020-0796, the SMBv3 security hole, doesn’t pose an immediate threat

    Home » Forums » Newsletter and Homepage topics » CVE-2020-0796, the SMBv3 security hole, doesn’t pose an immediate threat


    I’ve been sitting on pins and needles wondering when an in-the-wild exploit for the just-patched SMBv3 security hole might appear. Looks like it’s muc
    [See the full post at: CVE-2020-0796, the SMBv3 security hole, doesn’t pose an immediate threat]

    4 users thanked author for this post.
    Viewing 4 reply threads
    • #2190538

      No updating this weekend after all then!

      2 users thanked author for this post.
    • #2190545

      Shame on all of us in the corporate world for trying to stay up to date.

      Yes I am pushing the new patch…because I need to. OK for now.

      Red Ruffnsore

    • #2190544

      If you run an SMB server, then you don’t need to patch, you just need to disable compression.

      KASLR makes it much harder for unsophisticated attackers to execute code, but a denial of service exploit causing a computer to crash would not need to defeat KASLR and could be accomplished by anyone.

      KASLR is not perfect protection: Every time you see an “Information Disclosure Vulnerability” listed as “2 – Exploitation Less Likely” in a Microsoft Security Guidance (there are TONS of these fixed every security update), that is potentially information that can be used to defeat KASLR.

      If you read Google Project Zero, they make bypassing KASLR look easy, all the time. It may deter script kiddies, but it’s not gonna deter serious adversaries.

      Luckily you don’t need to update to mitigate this. Disable compression on any SMB servers, if you have any 1903 or 1909 servers. If you have vulnerable servers, you should consider whether, in the future, you would be better served with an OS that is older, more stable, and supported for longer (Server 2019 is based on 1809 and not vulnerable).

      You shouldn’t be hesitant to disable compression. After all, compression is a new feature only available since 2019. Disabling compression is more like uninstalling a bad feature patch than installing a new security patch.

      This should be much less of a problem on clients, because your users should be smart enough to not connect to random SMB shares.

      1 user thanked author for this post.
    • #2190546

      Kevin seems to be downplaying this solely from the Server side which may be the case.

      However, according to the CVE:

      “To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.”

      While the “client” mentioned could only be a W10 PC at 1903 or 1909 that is unpatched, it would certainly suggest a much larger target group than those Kevin alludes to.

      1 user thanked author for this post.
    • #2190639

      Got this mail from Microsoft this morning :

      The following CVE has undergone a minor revision increment:

      * CVE-2020-0796

      Revision Information:

      – CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability

      – Reason for Revision: The following revisions have been made: 1. Added an FAQ to
      clarify that only a Server Core installation is available for Windows Server,
      version 1903 and Windows Server, version 1909. 2. In the Workarounds, added Note
      number 3 to state that SMB Compression is not yet used by Windows or Windows Server,
      and disabling SMB Compression has no negative performance impact. These are
      informational changes only.
      – Originally posted: March 12, 2020
      – Updated: March 13, 2020
      – Aggregate CVE Severity Rating: Critical
      – Version: 1.1

    Viewing 4 reply threads
    Reply To: CVE-2020-0796, the SMBv3 security hole, doesn’t pose an immediate threat

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: