Segurança - SMBGhost - workaround
fonte: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
Security Update Guide > Details
CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability
Security Vulnerability
A
remote code execution vulnerability exists in the way that the
Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain
requests. An attacker who successfully exploited the vulnerability could
gain the ability to execute code on the target server or client.
To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
Publicly Disclosed | Exploited | Latest Software Release | Older Software Release | Denial of Service |
---|---|---|---|---|
Yes | No | 1 - Exploitation More Likely | 1 - Exploitation More Likely | N/A |
Product
|
Platform
|
Article
|
Download
|
Impact
|
Severity
|
Supersedence
|
---|---|---|---|---|---|---|
Windows 10 Version 1903 for 32-bit Systems | 4551762 | Security Update | Remote Code Execution | Critical |
4540673
|
|
Windows 10 Version 1903 for ARM64-based Systems | 4551762 | Security Update | Remote Code Execution | Critical |
4540673
|
|
Windows 10 Version 1903 for x64-based Systems | 4551762 | Security Update | Remote Code Execution | Critical |
4540673
|
|
Windows 10 Version 1909 for 32-bit Systems | 4551762 | Security Update | Remote Code Execution | Critical |
4540673
|
|
Windows 10 Version 1909 for ARM64-based Systems | 4551762 | Security Update | Remote Code Execution | Critical |
4540673
|
|
Windows 10 Version 1909 for x64-based Systems | 4551762 | Security Update | Remote Code Execution | Critical |
4540673
|
|
Windows Server, version 1903 (Server Core installation) | 4551762 | Security Update | Remote Code Execution | Critical |
4540673
|
|
Windows Server, version 1909 (Server Core installation) | 4551762 | Security Update | Remote Code Execution | Critical |
4540673
|
Mitigations
Microsoft has not identified any mitigating factors for this vulnerability.Workarounds
The following workaround
may be helpful in your situation. In all cases, Microsoft strongly
recommends that you install the updates for this vulnerability as soon
as they become available even if you plan to leave this workaround in
place:
Disable SMBv3 compression
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.
Disable SMBv3 compression
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Notes:- No reboot is needed after making the change.
- This workaround does not prevent exploitation of SMB clients; please see item 2 under FAQ to protect clients.
- SMB Compression is not yet used by Windows or Windows Server, and disabling SMB Compression has no negative performance impact.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force
Note:
No reboot is needed after disabling the workaround.FAQ
What steps can I take to protect my network?
1. Block TCP port 445 at the enterprise perimeter firewall
TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.
2. Follow Microsoft guidelines to prevent SMB traffic from lateral connections and entering or leaving the network
Preventing SMB traffic from lateral connections and entering or leaving the network
Are older versions of Windows (other than what is listed in the Security Updates table) affected by this vulnerability?
No, the vulnerability exists in a new feature that was added to Windows 10 version 1903. Older versions of Windows do not support SMBv3.1.1 compression and are not affected.
Windows Server, version 1903 (Server Core installation) and Windows Server, version 1909 (Server Core installation) are in the Security Updates Table. Are Windows Server, version 1903 and Windows Server, version 1909 that are not Server Core installation affected by this vulnerability?
No. Windows Server, versions 1903 and 1909 were both released under the Semi-Annual Channel (SAC) channel. As such, only a Server Core installation is available. For more information Windows servicing channels, please see Servicing Channels-19
1. Block TCP port 445 at the enterprise perimeter firewall
TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.
2. Follow Microsoft guidelines to prevent SMB traffic from lateral connections and entering or leaving the network
Preventing SMB traffic from lateral connections and entering or leaving the network
Are older versions of Windows (other than what is listed in the Security Updates table) affected by this vulnerability?
No, the vulnerability exists in a new feature that was added to Windows 10 version 1903. Older versions of Windows do not support SMBv3.1.1 compression and are not affected.
Windows Server, version 1903 (Server Core installation) and Windows Server, version 1909 (Server Core installation) are in the Security Updates Table. Are Windows Server, version 1903 and Windows Server, version 1909 that are not Server Core installation affected by this vulnerability?
No. Windows Server, versions 1903 and 1909 were both released under the Semi-Annual Channel (SAC) channel. As such, only a Server Core installation is available. For more information Windows servicing channels, please see Servicing Channels-19
Acknowledgements
Microsoft Platform Security Assurance & Vulnerability Research
See acknowledgements for more information.Disclaimer
The
information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability
and fitness for a particular purpose. In no event shall Microsoft
Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply.
Revisions
Version | Date | Description |
---|---|---|
1.0 | 03/12/2020 | Information published. CVE-2020-0796 resolves the issue discussed in ADV200005 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005). Customers who have already installed the updates released on March 10, 2020 for the affected operating systems should install KB4551762 to be protected from this vulnerability. |
1.1 | 03/13/2020 | The
following revisions have been made: 1. Added an FAQ to clarify that
only a Server Core installation is available for Windows Server, version
1903 and Windows Server, version 1909. 2. In the Workarounds, added
Note number 3 to state that SMB Compression is not yet used by Windows
or Windows Server, and disabling SMB Compression has no negative
performance impact. These are informational changes only. |