CASE: SMBv3 SERVER COMPRESSION TRANSFORM HEADER MEMORY CORRUPTION

Written on 08 Apr 2021 by Jeroen van de Weerd, updated on the 12th of Dec 2024 by Serena de Pater

The case

On March 10, 2020, Microsoft published information about a serious vulnerability in Microsoft’s Server Block Protocol version 3. The vulnerability (CVE-2020-0796) is a remote code execution vulnerability that exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.

The exploit

To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.

The impact

There were similarities with both Wannacry and NotPetya who both used SMBv1 to spread quickly around the world. SMB allows different users to use common folders, a fertile breeding ground, in terms of lateral movement and client-to-client infection, similar to previous SMB exploits. However, this was no Wannacry 2.0. ‘It was a critical vulnerability but there was a patch for it pretty soon,’ said DIVD’s case lead Sander Spierenburg.

DIVD volunteers warned that there was a serious threat to office networks using Windows 10. For client systems, it was not possible to disable compression in SMBv3. Opening a link to a rogue SMBv3 server could’ve been enough to execute unauthorized code on the client. A workaround was disabling compression or blocking TCP port 445.

What we did

On March 10, the first scan was done on only Dutch IP addresses. There were about 200 IP addresses with SMBv3.1.1. running with compression enabled. Notifications were sent by DIVD’s partner CleanNetworks.

On March 11, a worldwide scan by DIVD showed there were 62.000 IP addresses with SMBv3.1.1. running with compression enabled. The next day there were 32.000 vulnerable IP addresses. It was not clear why. Maybe some big ISPs had already closed port 445 as a temporary workaround.

On March 12, Sophos Labs Offensive Security Team seemed to show a working exploit on the same day Microsoft published a patch. After the patch was released, it was not possible anymore to find vulnerable systems only by scanning, so no additional scans were performed. December 3 2020 this case was closed.

What you can do

• Close ports that are not necessary to be open to the internet.
• Use the latest version of SMB.
• Install all patches from Microsoft as soon as possible.
• Workaround for servers: Block port 445 or disable compression.

Update 12-3-2020: Microsoft has published an out-of-band patch for this vulnerability. We advise everyone to patch as soon as possible. Information about the patch is available here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

More information

• DIVD-2020-00006
• CVE-2020-0796
• Microsoft update guide for CVE-2020-0796