CVE-2020-0796, the SMBv3 security hole, doesn’t pose an immediate threat

Topic

New Reply

I’ve been sitting on pins and needles wondering when an in-the-wild exploit for the just-patched SMBv3 security hole might appear. Looks like it’s muc
[See the full post at: CVE-2020-0796, the SMBv3 security hole, doesn’t pose an immediate threat]

4 users thanked author for this post.

rontpxz81, abbodi86, Seff, Elly

Reply | Quote

Replies

No updating this weekend after all then!

2 users thanked author for this post.

rontpxz81, Elly

Reply | Quote

Shame on all of us in the corporate world for trying to stay up to date.

Yes I am pushing the new patch…because I need to. OK for now.

Red Ruffnsore

Reply | Quote

If you run an SMB server, then you don’t need to patch, you just need to disable compression.

KASLR makes it much harder for unsophisticated attackers to execute code, but a denial of service exploit causing a computer to crash would not need to defeat KASLR and could be accomplished by anyone.

KASLR is not perfect protection: Every time you see an “Information Disclosure Vulnerability” listed as “2 – Exploitation Less Likely” in a Microsoft Security Guidance (there are TONS of these fixed every security update), that is potentially information that can be used to defeat KASLR.

If you read Google Project Zero, they make bypassing KASLR look easy, all the time. It may deter script kiddies, but it’s not gonna deter serious adversaries.

Luckily you don’t need to update to mitigate this. Disable compression on any SMB servers, if you have any 1903 or 1909 servers. If you have vulnerable servers, you should consider whether, in the future, you would be better served with an OS that is older, more stable, and supported for longer (Server 2019 is based on 1809 and not vulnerable).

You shouldn’t be hesitant to disable compression. After all, compression is a new feature only available since 2019. Disabling compression is more like uninstalling a bad feature patch than installing a new security patch.

This should be much less of a problem on clients, because your users should be smart enough to not connect to random SMB shares.

1 user thanked author for this post.

woody

Reply | Quote

Kevin seems to be downplaying this solely from the Server side which may be the case.

However, according to the CVE:

“To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.”

While the “client” mentioned could only be a W10 PC at 1903 or 1909 that is unpatched, it would certainly suggest a much larger target group than those Kevin alludes to.

1 user thanked author for this post.

Mr. Natural

Reply | Quote

Got this mail from Microsoft this morning :

The following CVE has undergone a minor revision increment:

* CVE-2020-0796

Revision Information:
=====================

– CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability
– https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

– Reason for Revision: The following revisions have been made: 1. Added an FAQ to
clarify that only a Server Core installation is available for Windows Server,
version 1903 and Windows Server, version 1909. 2. In the Workarounds, added Note
number 3 to state that SMB Compression is not yet used by Windows or Windows Server,
and disabling SMB Compression has no negative performance impact. These are
informational changes only.
– Originally posted: March 12, 2020
– Updated: March 13, 2020
– Aggregate CVE Severity Rating: Critical
– Version: 1.1

Reply | Quote