Updated March 20, 2020.
On March 10th, Microsoft published a security advisory of critical severity for CVE-2020-0796, which is a remote code execution vulnerability affecting the Microsoft Server Message Block 3.1.1 (SMBv3).
The vulnerability is in the same category as the well-known ransomware WannaCry and NotPetya. These malware programs spread automatically around the world, leading to costly outages in a wide range of industries, including transportation and logistics (Maersk $300 million), and pharmaceutical manufacturing (Merck $670 million).
While there is currently no publicly available working exploit code for the new vulnerability, it is important for asset owners to immediately patch or implement other mitigations to protect their operations.
Machines and PCs using Microsoft Windows operating systems need to be immediately patched or protected to secure OT and IoT environments.
A Wide Range of Microsoft Windows Applications Are Vulnerable
CVE-2020-0796 is a remote code execution vulnerability affecting the Microsoft Server Message Block 3.1.1 (SMBv3). The vulnerability is caused by an integer overflow in a decompression function of the srv2.sys kernel driver, which is responsible for processing SMB packets.
An unauthenticated attacker can exploit a vulnerable SMB server by sending a specially crafted packet. Furthermore, SMB clients connecting to malicious SMB servers are also vulnerable.
The following Windows versions are affected:
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
Act Now to Secure Vulnerable OT and IoT Networks
Microsoft recommends applying the following workaround to prevent exploitation of SMB servers:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Moreover, blocking TCP port 445 at the network perimeter is recommended in order to protect systems from attacks originating from the outside.
On March 12th, Microsoft released an update to patch the vulnerability (KB4551762):
- ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression
- March 12, 2020—KB4551762 (OS Builds 18362.720 and 18363.720)
Other measures include:
- Block internet/public-facing SMB connections
- Disable server side SMBv3 compressions
Ways to Improve Cyber OT and IoT Security and Reliability
Of course, to patch or protect Windows machines, you need to identify them. A foundational best practice is to have an updated asset inventory that that identifies devices, their operating system, version number and known vulnerabilities. There are solutions that do this quickly and automatically, including our own.
Furthermore, continuously updated threat and vulnerability intelligence allows you to reduce both the mean-time-to detection (MTTD) and the mean-time-to-respond (MTTR). This gives you the best possible opportunity to eliminate or contain threats and secure OT/IoT environments.
The Nozomi Networks Threat Intelligence service has been updated to detect assets vulnerable to CVE-2020-0796. Customers can find their vulnerable assets listed in Guardian, under the Vulnerability tab.
In addition, we have investigated the vulnerability in detail and added accurate protection for real-time detection of any exploitation attempts related to CVE-2020-0796 to Threat Intelligence.
In closing, I want to emphasize that this is a critical vulnerability and it is important for all organizations with OT and IoT networks to take protective actions.
“Nozomi Networks Threat Intelligence”
Read this document to learn how Threat Intelligence helps you:
- Rapidly detect threats and identify vulnerabilities
- Significantly strengthen your security posture
- Quickly respond using detailed, accurate information
- Swiftly analyze incidents and simplify IT/OT processes
- Cve.mitre.org: CVE-2020-0796
- Microsoft.com: ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression
- Microsoft.com: March 12, 2020—KB4551762 (OS Builds 18362.720 and 18363.720)
Nozomi Networks Resources
Security Research Manager, Nozomi Networks
Alessandro Di Pinto is an Offensive Security Certified Professional (OSCP) with an extensive background in malware analysis, ICS/SCADA security, penetration testing and incident response. He holds GIAC Reverse Engineering Malware (GREM) and GIAC Cyber Threat Intelligence (GCTI) certifications. Alessandro co-authored the research paper “TRITON: The First ICS Cyber Attack on Safety Instrument Systems” and “Analyzing the GreyEnergy Malware: from Maldoc to Backdoor”.