Microsoft provides mitigation advice for critical vulnerability in SMBv3 protocol
Having inadvertently revealed details of an unpatched security flaw, Microsoft published an advisory that provides details on a recently detected vulnerability in the SMBv3 (Server Message Block) protocol. Attackers who exploit the issue successfully "gain the ability to execute code on the target SMB Server or SMB Client" according to Microsoft's disclosure.
Attacks against SMB Servers use a specially crafted packet that is sent to the target. Attacks against SMB Clients are more complicated as it is required to configure a malicious SMBv3 Server and get users to connect to it.
To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
All recent versions of Windows 10 and Windows Server are affected by the vulnerability that Microsoft rates as critical, the highest severity rating:
- Windows 10 version 1903 32-bit and 64-bit, and ARM.
- Windows 10 version 1909 32-bit and 64-bit, and ARM.
- Windows Server version 1903.
- Windows Server version 1909.
The vulnerability is in the compression functionality of SMBv3. Microsoft suggests that organizations disable compression on Servers to protect these against attacks. The workaround does not protect SMB Clients from being attacked since attacks against clients require a malicious server and clients connecting to that server.
System administrators may run the following PowerShell command to disable compression on SMBv3 Servers. Note that the command needs to be run from an elevated PowerShell prompt.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
The change can be undone by running the following command from an elevated PowerShell prompt:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force
Microsoft notes that a restart is not required to make the change.
System administrators may also block TCP port 445 at the Enterprise perimeter firewall as it is used to "initiate a connection with the affected component".
Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks
Systems remain vulnerable to attacks "from within their enterprise perimeter" however.