Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about the example analysis of Microsoft's release of SMBv3 protocol worm-level vulnerability patches. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

0x00 event description

On March 11, 2020, 360-CERT detected a notice of security rules issued by overseas manufacturers, which described a memory corruption vulnerability in Microsoft's SMBv3 protocol, serial number CVE-2020-0796, and said that the vulnerability could be exploited remotely without authorization verification and could lead to worm-level vulnerabilities.

On March 12, Microsoft officially issued a bug notice and related patches, and 360-CERT advised users to fix them as soon as possible.

The announcement is described as follows [see reference link 1]:

The vulnerability is due to improper handling of compressed packets in SMB3 by the operating system. An attacker who successfully constructs a packet can exploit this vulnerability to execute arbitrary code remotely without authentication.

Affect the version

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows Server, version 1903 (Server Core installation)

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows Server, version 1909 (Server Core installation)

On March 30th, 360CERT detected that foreign security researchers released local exploit codes on GitHub, and 360-CERT advised users to self-check and fix the vulnerabilities as soon as possible.

The result of vulnerability exploitation is shown in the figure:

0x01 repair recommendation

On March 12, Microsoft officially issued a bug notice and patch.

Please download the fix according to the link below to fix it.

CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability users who cannot install updates can choose to follow Microsoft's official guidelines and disable the compression feature in SMBv3

Run the following command in powershell

# deactivate

Set-ItemProperty-Path "HKLM:\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters" DisableCompression-Type DWORD-Value 1-Force

# restore

Set-ItemProperty-Path "HKLM:\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters" DisableCompression-Type DWORD-Value 0-Force

This fix is not valid for clients. Do not connect to untrusted SMB servers. To avoid being affected by this vulnerability.

360CERT recommends an one-click update by installing a 360 security guard.

Microsoft Windows version updates should be carried out in a timely manner and Windows automatic updates should be kept on.

The process for windows server / windows to detect and turn on Windows automatic updates is as follows

Click the start menu and select Control Panel from the pop-up menu to proceed to the next step.

Click "system and Security" on the control panel page to enter the settings.

In the new interface that pops up, select enable or disable automatic updates in windows update.

Then go to the settings window, expand the drop-down menu item, and select the automatic installation update (recommended).

0x02 related spatial mapping data

Through surveying and mapping the assets of the whole network, it is found that SMBv3 services are widely used all over the world. The specific distribution is shown in the following figure.

0x03 product side solution

In response to this event, windows users can install patches through 360Security Guard, and users on other platforms can update vulnerable products according to the updated version of the product in the list of repair suggestions.

360 city-level network security monitoring service

The QUAKE asset mapping platform of the security brain monitors such loopholes / events by means of asset mapping technology, and users are asked to contact the relevant product area leaders to obtain the corresponding products.

After reading the above, do you have any further understanding of the example analysis of Microsoft's release of worm-level vulnerability patches for the SMBv3 protocol? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.