Rapid7 chief data scientist Bob Rudis, threat intelligence team member Charlie Stafford, and VRM engineering manager Brent Cook also contributed significant data and analysis to this blog.
During this week’s Patch Tuesday (March 10, 2020), the security community noticed that Microsoft published and then immediately deleted information about CVE-2020-0796, a critical remote code execution vulnerability in the SMBv3 protocol. Researchers took note, and shortly thereafter, Microsoft published a formal advisory about the vulnerability, which was unpatched as of yesterday (March 11, 2020). This morning, Microsoft released patches that correct how the SMBv3 protocol handles specially-crafted requests.
Vulnerability description
Microsoft’s advisory states that a crafted SMBv3 packet could be used to achieve remote code execution on a vulnerable SMB Server. Exploitation of an unauthenticated SMB Client requires the victim to have connected to an SMBv3 server controlled by the attacker.
Affected versions:
Windows 10 v1903
Windows 10 v1909
Windows Server v1903
Windows Server v1909
Patches are available as of March 12, 2020. For users who are unable to patch immediately, Microsoft’s guidance is to disable SMBv3 compression and block TCP port 445 on firewalls and client computers as a workaround.
Rapid7 Analysis
Rapid7 rates this vulnerability as being high value for attackers, but it is not known to be actively exploited in the wild as of time of writing.
Since Window ..
Support the originator by clicking the read the rest link below.
