Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you an example analysis of Windows SMB v1 remote code execution vulnerabilities. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

0x00 vulnerability background

June 09, 2020, 360CERT Monitoring found that Microsoft officially issued a risk notice for the SMB v1 remote code execution vulnerability, the vulnerability number is CVE-2020-1301, vulnerability level: high risk.

SMB (Server Message Block) is a network file sharing system (Common Internet File System, abbreviated as CIFS), an application layer network transfer protocol developed by Microsoft. Its main function is to enable computers on the network to share computer files, printers, serial ports, communications and other resources.

A remote code execution vulnerability exists in SMB v1, which allows remote attackers to cause remote code execution by sending a specially crafted request packet to the affected system.

In this regard, 360CERT recommends that the majority of users timely install the latest patches, do a good job of asset self-examination and prevention work, so as to avoid hacker attacks.

0x01 risk rating

360CERT's assessment of the vulnerability is as follows

Assessment methods, threat levels, high risk impact areas, wide range of 0x02 influence versions

Windows SMB:v1

0x03 repair recommendations General patching recommendations:

Microsoft abandoned the SMBv1 protocol in 2014, and SMBv1 is disabled by default on the Windows 10 operating system.

Users are recommended to refer to Microsoft's official guidelines to disable the SMBv1 protocol.

How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Docs

360CERT also released a report in 2017 on the security risks brought about by SMBv1.

Annual Security report 2017-disable SMBv1 Protocol-360CERT

0x04 related spatial mapping data

Through surveying and mapping the assets of the whole network, the security brain-Quake cyberspace mapping system finds that SMBv1 is distributed around the world as shown in the following figure.

0x05 product side solution 360city-level network security monitoring service

The QUAKE asset mapping platform of the security brain monitors such vulnerabilities by means of asset mapping technology, and asks users to contact the relevant product area leaders to obtain the corresponding products.

360 security guard

For this security update, Windows users can install the corresponding patch through the 360 security guard, and users on other platforms can update vulnerable products according to the updated version in the list of repair suggestions.

The above is the example of Windows SMB v1 remote code execution vulnerability shared by Xiaobian. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.