Shulou(Shulou.com)06/01 Report--

What this article shares with you is the theoretical analysis of the "worm-level" vulnerability CVE-2020-0796 patch of Microsoft SMBv3 protocol. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Without saying much, let's take a look at it with the editor.

0x00 event description

On March 11, 2020, 360-CERT detected a notice of security rules issued by overseas manufacturers, which described a memory corruption vulnerability in Microsoft's SMBv3 protocol, serial number CVE-2020-0796, and said that the vulnerability could be exploited remotely without authorization verification and could lead to worm-level vulnerabilities.

On March 12, Microsoft officially issued a bug notice and related patches, and 360-CERT advised users to fix them as soon as possible.

The announcement is described as follows [see reference link 1]:

The vulnerability is due to improper handling of compressed packets in SMB3 by the operating system. An attacker who successfully constructs a packet can exploit this vulnerability to execute arbitrary code remotely without authentication.

Affect the version

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows Server, version 1903 (Server Core installation)

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows Server, version 1909 (Server Core installation)

0x01 repair recommendation

On March 12, Microsoft officially issued a bug notice and patch.

Please download the fix according to the link below to fix it.

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

Users who are unable to install updates can choose to follow Microsoft's official guidelines and disable the compression feature in SMBv3.

Run the following command in powershell

# deactivate

Set-ItemProperty-Path "HKLM:\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters" DisableCompression-Type DWORD-Value 1-Force

# restore

Set-ItemProperty-Path "HKLM:\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters" DisableCompression-Type DWORD-Value 0-Force

This fix is not valid for clients. Do not connect to untrusted SMB servers. To avoid being affected by this vulnerability.

360CERT recommends an one-click update by installing a 360 security guard.

Microsoft Windows version updates should be carried out in a timely manner and Windows automatic updates should be kept on.

The process for windows server / windows to detect and turn on Windows automatic updates is as follows

Click the start menu and select Control Panel from the pop-up menu to proceed to the next step.

Click "system and Security" on the control panel page to enter the settings.

In the new interface that pops up, select enable or disable automatic updates in windows update.

Then go to the settings window, expand the drop-down menu item, and select the automatic installation update (recommended).

0x02 related spatial mapping data

Through surveying and mapping the assets of the whole network, it is found that SMBv3 services are widely used all over the world. The specific distribution is shown in the following figure.

0x03 product side solution 4360 security guard

In response to this event, windows users can install patches through 360Security Guard, and users on other platforms can update vulnerable products according to the updated version of the product in the list of repair suggestions.

5 360 City-level network security monitoring service

The QUAKE asset mapping platform of the security brain monitors such loopholes / events by means of asset mapping technology, and users are asked to contact the relevant product area leaders to obtain the corresponding products.

The above is the theoretical analysis of the "worm-level" vulnerability CVE-2020-0796 patch of Microsoft SMBv3 protocol. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.