Background
On 12th March 2020 Microsoft has released a Security guidance regarding Remote Code Execution vulnerability in the way that Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. A successful exploitation of the vulnerability could provide the attacker the ability to execute arbitrary code on the target SMB Server or SMB client. Microsoft has marked the CVE as Critical and provided an Exploitability index of "1- Exploitation more likely". The security guidance also provides a workaround for this vulnerability.
What is the issue?
An unauthenticated attacker could send a specially crafted packet to target SMBv3 Server. To attack an SMB client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince the client to connect to it. The specially crafted packet exploits SMBv3.1.1 compression feature.
What systems are impacted?
Windows 10 Version 1903, Windows 10 Version 1909, Windows Server Version 1903 and Windows Server Version 1909 running SMBv3 service.
What can you do to protect yourself?
Microsoft has not yet released a patch for this vulnerability and recommends a workaround which involves disabling SMBv3 compression. The steps to do this are mentioned in the workarounds section of advisory linked below,
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
They also recommend applying the patch as soon as the update is available.
Zscaler Coverage:
- Advanced Cloud Firewall signature: Win32.Exploit.CVE-2020-0796
- Advanced Cloud Sandbox: Win32.Exploit.CVE-2020-0796
We have not seen this vulnerability being exploited in the wild. Zscaler Cloud Sandbox provides proactive coverage against exploit payloads and advanced threats like ransomware, and the Zscaler ThreatLabZ team is actively monitoring for in-the-wild exploit attempts to ensure coverage.
