Shulou(Shulou.com)05/31 Report--

This article introduces how to carry out SMB remote code execution vulnerability CVE-2020-0796 security announcement, the content is very detailed, interested friends can refer to, hope to be helpful to you.

[vulnerability name]

SMB remote code execution vulnerability (CVE-2020-0796), named "SMBGhost" by security researchers.

[vulnerability description]

Microsoft released its March update on March 11, which did not release information on a high-risk vulnerability numbered CVE-2020-0796, but the vulnerability was the most eye-catching. The following night, Microsoft officially released the patch for CVE-2020-0796 high-risk vulnerabilities.

When processing compressed messages in the SMB 3.1.1 protocol, there is no security check on the data, and direct use will lead to memory corruption vulnerabilities, which may be exploited by attackers to remotely execute arbitrary code.

Attackers can take advantage of this vulnerability to achieve remote code execution without permission, and the target system attacked by the hacker may be invaded as long as it is powered on.

The consequences of this vulnerability are very close to the Eternal Blue series, and they all use Windows SMB vulnerabilities to remotely attack to obtain the highest privileges of the system. WannaCry blackmail worm is a catastrophe created by using Eternal Blue Series vulnerability attack tools. In addition to directly attacking the SMB server to cause RCE, the highlight of the vulnerability lies in the attack on the SMB client. The attacker can trigger the vulnerability in many ways, such as constructing specific web pages, compressed packages, shared directories, OFFICE documents and so on.

The vulnerability did not appear in Microsoft's routine update list in March, and some foreign security vendors accidentally released news about the vulnerability, which attracted industry attention.

[vulnerability version]

The vulnerability does not affect win7, and it affects all 32-bit and 64-bit Windows after Windows 10 1903, including home version, professional version, enterprise version and educational version.

Windows 10 Version 1903 for 32-bit Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1903 for ARM64-based Systems

Windows Server, Version 1903 (Server Core installation)

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows Server, Version 1909 (Server Core installation)

It is the current mainstream operating system version, which is widely used in personal and enterprise environment.

[vulnerability type]

Remote code execution

[vulnerability level]

High risk

[serial number] CVE-2020-0796

[vulnerability impact]

According to the data provided by the T-Sec network asset risk monitoring system (Tencent Yuzhi), there are a total of about 100000 SMB services that may have vulnerabilities worldwide, which are directly exposed to the public network and may become the first round target of vulnerability attacks.

All the terminal nodes in the network of government agencies, enterprises and institutions after using Windows 10 1903 are potential targets. Once hackers sneak in, they can use targeted vulnerability attack tools to spread inside the network, and the comprehensive risk is no less than Eternal Blue. WannaCry blackmail worm is a catastrophe created by using Eternal Blue series vulnerability attack tools.

[solution]

Enterprise users:

1. It is recommended that enterprises use T-Sec network asset risk detection system (Tencent Yuzhi) to comprehensively detect whether enterprise network assets are affected by security vulnerabilities.

T-Sec network asset risk detection system (Tencent Yu Zhi) is a product that automatically detects enterprise network assets and identifies their risks. It can fully monitor the risks of enterprise websites, hosts, Mini Program and other assets, including weak password detection, Web vulnerability scanning, violation sensitive content detection, website tampering detection, mining detection and other asset risks.

Enterprise users can scan the following QR code and use the T-Sec Network Asset risk Detection system (yuzhi.qq.com) free of charge.

2. The T-Sec terminal security management system (Tencent Royal Point) has been upgraded to block attacks that exploit this vulnerability:

The enterprise network management can also use the network-wide vulnerability scanning and repair function of the T-Sec terminal security management system (Tencent Royal Point) to scan and install KB4551762 patches throughout the network.

Deploy T-Sec terminal security management system (Tencent Royal Point) to intercept Trojans. For more information, please see https://s.tencent.com/product/yd/index.html.

3. It is recommended that enterprise users deploy T-Sec advanced threat detection system (Tencent Yujie) to detect hacker attacks.

T-Sec Advanced threat Detection system (Tencent Yujie) is a unique threat intelligence and malicious detection model system developed based on Tencent's security capabilities and relying on Tencent's massive data on cloud and end. The system can timely and effectively detect various risks of hackers' intrusion and penetration attacks on corporate networks. Reference link: https://cloud.tencent.com/product/nta

4. Tencent Security is the first to launch a SMB remote code execution vulnerability scanning tool, which administrators can use to remotely detect whether there are security vulnerabilities in terminals across the network.

To avoid being abused by attackers, you must apply for the SMB remote code vulnerability scanning tool. Refer to the application process:

Https://pc1.gtimg.com/softmgr/files/20200796.docx

5. Enterprise users can also use Windows to update and install patches. In the Windows settings, click "Update and Security".

Individual user

1. Individual users can also run Windows updates directly to complete the installation of the patch.

2. Individual users can also manually modify the registry to prevent remote attacks by hackers:

Run regedit.exe, open the registry editor, and create a DWORD named DisableCompression in HKLM\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters with a value of 1 to disable SMB compression.

On how to carry out SMB remote code execution vulnerability CVE-2020-0796 security announcement to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.