News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • It looks like the announced-but-not-fixed CVE-2020-0796 “CoronaBlue” vuln is only for Server 2013 and 2019

    Home Forums AskWoody blog It looks like the announced-but-not-fixed CVE-2020-0796 “CoronaBlue” vuln is only for Server 2013 and 2019

    Viewing 9 reply threads
    • Author
      Posts
      • #2189610 Reply
        woody
        Da Boss

        I’ll have more details about this shortly, but many of you admins are rightly concerned about the CVE-2020-0796 security hole, which was announced, th
        [See the full post at: It looks like the announced-but-not-fixed CVE-2020-0796 “CoronaBlue” vuln is only for Server 2013 and 2019]

        1 user thanked author for this post.
      • #2189618 Reply
        b
        AskWoody Plus

        It looks like the announced-but-not-fixed CVE-2020-0796 “CoronaBlue” vuln is only for Server 2013 and 2019

        2013? 😕

        Windows 10 Pro Version 2004: Group ASAP (chump/pioneer)

        2 users thanked author for this post.
        • #2189652 Reply
          woody
          Da Boss

          Oooops. I invented two new Server versions. Sorry ’bout that. Another cup o’ coffee, guv’na.

          2 users thanked author for this post.
      • #2189629 Reply
        LoneWolf
        AskWoody Plus

        It looks like the announced-but-not-fixed CVE-2020-0796 “CoronaBlue” vuln is only for Server 2013 and 2019

        2013? 😕

        Ditto, I was wondering about this.

        Server 2016 and 2019, perhaps?

        We are SysAdmins.
        We walk in the wiring closets no others will enter.
        We stand on the bridge, and no malware may pass.
        We engage in tech support, we do not retreat.
        We live for the LAN.
        We die for the LAN.

      • #2189631 Reply
        steeviebops
        AskWoody Lounger

        If it only affects 1903 and 1909 then only Server 2019 would be affected. Server 2016 is based on 1607.

      • #2189633 Reply
        jabeattyauditor
        AskWoody Lounger

        The BleepingComputer article specifically mentions Core installs only, which makes even less sense. Why would SMBv3 be less vulnerable on a Desktop Experience install?

        2 users thanked author for this post.
        • #2189654 Reply
          woody
          Da Boss

          Good question. Microsoft’s ADV isn’t at all clear.

      • #2189657 Reply
        steeviebops
        AskWoody Lounger

        If it only affects 1903 and 1909 then only Server 2019 would be affected. Server 2016 is based on 1607.

        Hang on (can’t seem to edit my own post). Server 2019 is based on 1809 so shouldn’t be affected either. So would only be the Core 1903 and 1909 releases in that case.

      • #2189708 Reply
        anonymous
        Guest

        A Windows 10 PC can be a SMB server if it shares a folder or a printer. In fact, all Windows 10 PCs are SMB servers since the C drive is always shared as c$.

        Do not confuse Windows Server and SMB server.

      • #2189728 Reply
        anonymous
        Guest

        The crazy part about this is that it affects the client as well.

        To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

        There’s a way to disable smb compression for servers, but not for clients. Surely even if there was a problem with the real patch, they could’ve shipped a patch that let us disable compression on the client side.

        Can an attacker just replace a normal smb server with arp poisoning or something? SMB has session signatures, but it doesn’t have long-lasting certificates like an HTTPS site, does it? And the policy “Microsoft network client: Digitally sign communications (always)” is disabled by default.

        Does a client have to log in to a specific share, or is browsing a computer’s shares with Network Discovery enough to exploit?

        There way too much we don’t know.

        I have now seen/talked to 3 different people claiming they found the bug in less than 5 minutes. I won’t be surprised if exploits pop up online by the end of the day.

        I would not be surprised either. Buffer overflows are a simple exploit. Once it’s known one is out there, people can find them. This one is just hidden by a new/obscure smb compression extension.

        The crypto bug the NSA found is similar, it’s just low-hanging fruit that could be gleamed from the wikipedia page of elliptic curve cryptography, or from a basic crypto lecture. Nobody would imagine that it would exist in a real implementation in 2020.

      • #2189746 Reply
        anonymous
        Guest

        Can someone provide some advice for the common folk:  being a home user, on a local network with 2 laptops that share a wireless printer, using a router, is this a concern? Do I need to disable SMBv3 compression, etc.? Running Gibson’s ShieldsUP shows all ports, including 445, as stealth. Currently on Win 10 1909. Just trying to figure out if I need to take any action or just wait on a patch from MS.

        • #2189749 Reply
          PKCano
          Da Boss

          Woody says:

          And if you aren’t in charge of a network, sit back and smile. You have other things to worry about.

          1 user thanked author for this post.
          • #2189818 Reply
            anonymous
            Guest

            Windows 10 running a C$ share would all be affected, wouldn’t it?  The only Win10 1903/1909 installs not affected may be Home users (assuming they don’t share printers).  Pro and higher will most likely have the exploit even if not on a domain.

            • #2190034 Reply
              woody
              Da Boss

              I understand that you’re concerned but… there’s no exploit as yet, and precious few details about who’s affected.

              Sit tight. There are plenty of people working on it.

      • #2190013 Reply
        CraigS26
        AskWoody Plus

        Windows 10 running a C$ share would all be affected, wouldn’t it?  The only Win10 1903/1909 installs not affected may be Home users (assuming they don’t share printers).  Pro and higher will most likely have the exploit even if not on a domain.

        IF 1909-64 Home users w/1-Printer ARE affected can someone clarify if the the Power Shell Cmd that is entered in SERVERS Admin Cmd Prompt applies, ALSO, to just Desktop users. All To-Do’s address Server environments yet 1909-64 Desktops are allegedly affected and nothing specifically is said about them.

        Sorry for Double Post & missed clarification just above- Continue to WISH Edit lasted longer.

        I see that PKC’s — And if you aren’t in charge of a network, sit back and smile. You have other things to worry about. — makes my question moot.

        W10-64 1909 Home / Hm-Stdnt Ofce '16 C2R / HP Envy i5-8400/ 12 GB / 256G SSD + 1 TB HDD / InSpectre #8 = GREEN

    Viewing 9 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: It looks like the announced-but-not-fixed CVE-2020-0796 “CoronaBlue” vuln is only for Server 2013 and 2019

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.