On March 10, 2020, during its monthly Patch Tuesday, Microsoft published the advisory ADV200005 for a critical Remote Code Execution (RCE) vulnerability on Server Message Block (SMB) 3.1.1. Microsoft released the advisory after Cisco Talos accidentally published details on the same day. Both Cisco Talos and Fortinet released advisories for the vulnerabilities on their pages but Cisco Talos removed it quickly from its page—both identified the vulnerability as CVE-2020-0796.

Per Microsoft's advisory, the vulnerability is present in SMBv3 in the way it handles certain types of requests—specifically on how compression is handled. For server systems, an unauthenticated attacker could exploit this vulnerability by sending a specially crafted packet to a vulnerable SMBv3 server. For SMBv3 clients, an attacker would need to convince a user to connect to a malicious SMBv3 server that they have configured. In most corporate environments, port 445 is blocked to the outside world, reducing the attack surface for client systems. But given how mobile most workforces are these days, this still poses a threat, since many client hosts will be mobile and outside of this control (this goes without mentioning internal attackers).

Based on the intrusion prevention system (IPS) rule released by FortiGuard Labs, the bug appears to be a buffer overflow type of vulnerability. The successful exploitation of this vulnerability will execute the code under the privilege of SYSTEM on the affected host.

The affected systems are:

• Windows 10 Version 1903 for 32-bit systems          
• Windows 10 Version 1903 for ARM64-based systems        
• Windows 10 Version 1903 for x64-based systems   
• Windows 10 Version 1909 for 32-bit systems          
• Windows 10 Version 1909 for ARM64-based systems        
• Windows 10 Version 1909 for x64-based systems   
• Windows Server, version 1903 (server core installation)     
• Windows Server, version 1909 (server core installation)

Given that Windows 2008 and Windows 7 do not support SMBv3, they are not affected, but because they are end-of-life, they introduce other risks into the environment.

Microsoft provided a workaround to disable compression on SMBv3 by modifying the Windows Registry on Windows Server 2019 for the affected versions by setting the DisableCompression value of the registry key HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters to 1. This may have a performance impact on Windows servers used as File Servers and as targets for mounted shares for high throughput applications like clustering. As a result, testing is recommended on those systems to ensure there is no business impact and that other measures, like controlling what IP addresses can connect that leverage the host Windows Firewall, should be used.

Mitigation for Windows Server

Microsoft provided a Windows PowerShell command to set the value for the registry key:

 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force 

This workaround will not prevent client machine exploitation.

A way to deploy the configuration change would be to use Group Policy Objects (GPO).

1. On a Domain Controller, open Windows PowerShell as Administrator and create a GPO using the following command:

New-GPO -Name "Disable SMBv3 Compression" -Comment "GPO to disable SMBv3 compression to mitigate CVE-2020-0796"

2. Set the registry key and value for the GPO to control using the following command inside PowerShell:

Set-GPRegistryValue
-Name "Disable SMBv3 Compression" -Key
"HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters "
-ValueName "DisableCompression" -Type DWORD -Value 1

To target only the affected versions of Windows Server, we will create a WMI filter.

1. Open the Group Policy Management console.
2. In the navigation pane, expand Forest: YourForestName, expand Domains, expand YourDomainName, and then click WMI Filters.
3. Click Action, and then click New.
4. In the Name text box, type the name of the WMI filter, Windows Server CVE-2020-0796
5. In the Description text box, type a description for the WMI filter. Filter for Windows Server 2019 versions affected by CVE-2020-0796.
6. Click Add.
7. Leave the Namespace value set to root\CIMv2.
8. In the Query text box, type: select * from Win32_OperatingSystem where (Version = "10.0.18363" OR Version="10.0.18362") and (ProductType="2" OR ProductType="3"). This filter will target server and domain controllers running the affected versions of Windows 2019.
9. Click OK to save the query to the filter.
10. Click Save to save your completed filter

To link the WMI filter to a GPO:

1. Open the Group Policy Management console.
2. In the navigation pane, find and click the GPO Disable SMBv3 Compression that you want to modify.
3. Under WMI Filtering, select the correct WMI filter from the list.
4. Click Yes to accept the filter

You can now attach this filter to any OU to which you want to apply the mitigation.

Client Mitigation

Client mitigation is harder since it means breaking functionality for some users. The recommended mitigation by TrustedSec is to limit the outbound connections on port 445 for hosts not in the enterprise network locally or via VPN. This refers to users traveling to customer sites or at their homes that need to connect to an SMB share since they will not be in the corporate network.

To create an outbound port rule:

1. Open the Group Policy Management console. In the navigation pane, expand Forest: YourForestName, expand Domains, expand YourDomainName, expand Group Policy Objects, right-click and select New.
2. Name the GPO Windows 10 CVE-2020-0796, click OK.
3. Right-click on the new GPO named Windows 10 CVE-2020-0796 and select Edit.
4. In the navigation pane of the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security - LDAP://cn={GUID},cn=….
5. In the navigation pane, click Outbound Rules.
6. Click Action, and then click New rule.
7. On the Rule Type page of the New Outbound Rule wizard, click Port, and then click Next.
8. On the Protocol and Ports page, select TCP as protocol and in Specific remote ports enter 445
9. Select Block the connections and click Next.
10. Under Profile un-select only Private and Public leaving only Domain. Click Next.
11. Under Name enter as name Windows 10 CVE-2020-0796. Click on Finish.

To target only the affected versions of Windows client hosts, we will create a WMI filter.

1. Open the Group Policy Management console.
2. In the navigation pane, expand Forest: YourForestName, expand Domains, expand YourDomainName, and then click WMI Filters.
3. Click Action, and then click New.
4. In the Name text box, type the name of the WMI filter, Windows Server CVE-2020-0796
5. In the Description text box, type a description for the WMI filter. Filter for Windows 10 versions affected by CVE-2020-0796
6. Click Add.
7. Leave the Namespace value set to root\CIMv2.
8. In the Query text box, type: select * from Win32_OperatingSystem where (Version = "10.0.18363" OR Version="10.0.18362") AND ProductType="1" This filter will target Windows 10 clients with build 1903 and 1909.
9. Click OK to save the query to the filter.
10. Click Save to save your completed filter.

To link the WMI filter to a GPO:

1. Open the Group Policy Management console.
2. In the navigation pane, find and click the GPO Disable SMBv3 Compression that you want to modify.
3. Under WMI Filtering, select the correct WMI filter from the list.
4. Click Yes to accept the filter.

You can now attach this filter to any OU to which you want to apply the mitigation.

Conclusion

This vulnerability has the potential to be a great threat to our customers and we recommend that mitigations are tested and implemented to minimize risks where deemed necessary. Microsoft is working on the patch and as soon as it is released, its installation should be a priority to fully mitigate the risk this vulnerability brings. The mitigation should help while the patches are tested and deployed.

[UPDATE] Microsoft released the patch for the vulnerabilityon March, 12, 2020 . It can be downloaded via Windows Update, more information can be found at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796. Mitigations recommended can be used while patches are applied.