SMBv3 Vulnerability Explained

SMBv3 Vulnerability Explained

SMBGhost

What Happened?

This week, Microsoft accidentally published information around a newly identified vulnerability in SMBv3, which is being dubbed SMBGhost. This vulnerability can lead to remote code execution on the server, which is always a major concern as far as the severity of vulnerabilities go. The version affected specifically is 3.1.1, which is a more recent version. They mention that this can be exploited from an unauthenticated attacker who sends a specially crafted packet to a target the SMBv3 Server. This is extremely similar to the SMBv1 vulnerability that I recently covered. The scary part about this vulnerability is that it has been deemed ‘wormable’ which means if someone were to exploit one of your machines, it can potentially spread from machine to machine throughout your environment.

What’s Affected

It’s been identified that all Windows 10 and Windows Server running version 1903 and 1909 are affected by this. Fortunately, there some potential mitigations and workarounds that you can take to avoid this issue, and as of 3/12/2020, Microsoft actually released a patch that addresses this vulnerability.

Prevention and Mitigation of SMBv3

Obviously, the first thing that you’ll want to do if you’re able, is to apply the patch mentioned above. Keeping your security patches up to date is the most effective way to mitigate identified vulnerabilities that have known solutions. If for whatever reason, you’re not able to apply the patch in the short term, Microsoft has identified a workaround to prevent this from being exploited. The issue lies in SMB compression, so disabling this feature of SMB will protect you from an attacker attempting to exploit it.

{code} Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force{code}

The above PowerShell code to update your registry will disable the compression feature on SMB Servers. This will not protect your SMB clients, the code needed to update your clients is below:

{code} Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force{code}

Fortunately, neither of these updates to the registry requires a reboot to take effect. One question you may have, is what impact will disabling SMB compression have? Well, funny enough, Microsoft mentions in their advisory that SMB compression isn’t even used in Windows or Windows Server yet. It will have no negative performance impact.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other