Remote Code Execution Vulnerability in Microsoft Server Message Block SMBv3
By connecting to a vulnerable Windows machine using SMBv3, or by causing a vulnerable Windows system to initiate a client connection to a SMBv3 server, a remote, unauthenticated attacker is able to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Microsoft Server Message Block 3.1.1 (SMBv3) contains a vulnerability, dubbed SMBGhost or EternalDarkness, in the way that it handles connections that use compression, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. It has been reported that this vulnerability is "wormable."
Successful exploitation of the vulnerability would grant the attacker arbitrary code execution in both SMB Server and SMB Client.
UPDATE: On March 12th, Microsoft has released a patch, named KB4551762, to mitigate this vulnerability. A workaround is available if you cannot install the patch immediately.
UPDATE: On March 31th, a PoC was released by researchers García Gutiérrez (@danigargu) and Manuel Blanco Parajón (@dialluvioso_), available here : https://github.com/danigargu/CVE-2020-0796
Disable SMBv3 Compression
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
- No reboot is needed after making the change.
- This workaround does not prevent exploitation of SMB clients.
You can implement the workaround with the PowerShell command below:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force
Block inbound and outbound SMB
Consider blocking outbound SMB connections (TCP port 445 for SMBv3) from the local network to the WAN. Also ensure that SMB connections from the internet are not allowed to connect inbound to an enterprise LAN.
Microsoft released an advisory for this vulnerability. CERT.be recommends applying the patch as soon as possible!
If you cannot patch immediately, please apply the workaround explained above. The workarounds are also further explained on this blog too.