Updated at 13:00 ET on March 11, 2020
The Claroty Research team has built a repository with tools (such as NSE script) to detect potentially vulnerable assets related to the new Windows SMBv3 Remote Code Execution (RCE) vulnerability (CVE-2020-0796). More diagnostic tools will be added to the repository soon. Stay tuned.
On March 10, Microsoft accidentally released information about a new type of “wormable” Windows Server Message Block 3.0 (SMBv3) Remote Code Execution Scanner (RCE) vulnerability (CVE-2020-0796) during its regular Patch Tuesday update. While the information was removed by Microsoft, another security vendor noticed the release and obtained information about the vulnerability before Microsoft removed it from its publication API. This created a significant public discussion about the vulnerability despite Microsoft’s best efforts to pull it back.
It is important to note that, especially since this was an accidental release, the situation is evolving and there is much unknown information. Claroty’s research team will continue to investigate this issue and provide additional detection and mitigation recommendations as needed.
About the Vulnerability
Based on available information, the vulnerability affects the SMBv3 (v3.1.1 and higher) protocol and, more specifically, the vulnerability resides in the compression mechanism of the protocol.
The vulnerability allows a “wormable” pre-auth RCE in both server and client attack scenarios. The most effective workaround published by Microsoft advises disabling the compression functionality of the SMBv3 protocol. However, this workaround doesn’t reduce the client attack scenario which requires the attacker to make the victim access a specific SMB share.
As of writing, no patch was provided by Microsoft and no public exploitation of the issue was detected.
Known Affected Products (as of March 10, 2020)