Shulou(Shulou.com)05/31 Report--

Microsoft Windows SMBv3 service remote code execution vulnerability how to understand, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Document Information No. QiAnXinTI-SV-2020-0008 keyword SMB CVE-2020-0796 release date March 11, 2020 Update date March 22, 2020 TLPWHITE Analysis team Chianxin threat Intelligence Center announcement Overview

On March 11, 2020, a foreign security company released an overview of the vulnerabilities involved in a recent Microsoft security patch package, which mentioned a SMB service remote code execution vulnerability (CVE-2020-0796) with a threat level marked Critical, which could be exploited remotely without user authentication to cause malicious code to be executed on the target system by sending specially constructed malicious data, thus gaining full control of the machine.

At present, the Red Raindrop team of Qi'an Information threat Intelligence Center has confirmed the existence of the vulnerability, which can steadily cause the system to crash, and does not rule out the possibility of executing arbitrary code. Because the vulnerability does not require user verification, it may lead to worm-like spread like WannaCry attacks.

Microsoft released the corresponding security patch on March 12, 2020, and users are strongly advised to install the patch immediately to avoid the risk caused by this vulnerability. On March 14, 2020, a vulnerability that could cause the blue screen of the affected system to crash was released in public channels using POC, which could steadily lead to a remote denial of service of the system.

On March 22nd, Qianxin Code Security team released a remote lossless scanner for this vulnerability, which can help network administrators quickly identify systems with this vulnerability.

Vulnerability summary vulnerability name Microsoft Windows SMBv3 service remote code execution vulnerability

Threat type remote code execution threat level serious vulnerability IDCVE-2020-0796 exploits scenarios where an attacker can trigger a vulnerability by sending specially constructed packets, which may lead to control of the target system without user authentication, affecting both the server and the client system. Affected system and application versions Windows 10 Version 1903 for 32-bit Systems Windows 10 Version 1903 for ARM64-based Systems Windows 10 Version 1903 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows Server, version 1903 (Server Core installation) Windows Server, version 1909 (Server Core installation) vulnerability description

The vulnerability exists in Windows's SMBv3.0 (File sharing and Printing Service). At present, the technical details are not published. The exploitation of the vulnerability does not need user verification. It can be triggered to cause arbitrary code execution by constructing malicious requests, and the system is under unauthorized control.

Impact area assessment

This vulnerability mainly affects the SMBv3.0 protocol. Currently, devices that support this protocol include Windows 8, Windows 8.1, Windows 10, Windows Server 2012 and Windows Server 2016. However, according to Microsoft's announcement, the main target affected is the Win10 system. Considering the order of magnitude of the related devices, the potential threat is greater.

Disposal suggested repair method

1. Microsoft has released a security patch for this vulnerability, visit the following link:

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

two。 If the patch cannot be installed for the time being, Microsoft currently recommends the following temporary solution:

Execute the following command

Set-ItemProperty-Path "HKLM:\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters" DisableCompression-Type DWORD-Value 1-Force disables the compression feature of SMB 3.0. You need to determine whether to use it in combination with your own business.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.