Threat Brief: Microsoft SMBv3 Wormable Vulnerability CVE-2020-0796

This post is also available in: 日本語 (Japanese)

Executive Summary

In March 2020 Microsoft released a security advisory, ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression, for a new remote code execution (RCE) vulnerability. Shortly after this advisory was released, Microsoft issued an out-of-band patch to protect affected users from CVE-2020-0796.  An out-of-band patch is typically released outside of the expected update period for a vendor.  In this particular case, Microsoft is known to release updates on Patch Tuesday, which was two days prior to this out-of-band update.

This vulnerability exists within the Microsoft Server Message Block 3.0 (SMBv3), specifically regarding malformed compression headers. Compression headers are a feature that was added to SMBv3 negotiate context request packets in May 2019. For successful unauthenticated exploitation an attacker would need to craft a SMBv3 packet that contains the malformed compression header to a vulnerable SMBv3 Server.  For SMBv3 clients would require enticing a user to connect to a compromised SMBv3 server that they control. At the time of release, Microsoft affirmed that they had not yet seen the vulnerability exploited in the wild (ITW).

This vulnerability only affects SMBv3 and the following builds of the Microsoft Windows operating system (OS):

• Windows 10 build 1903 and 1909 - 32-bit, x64 and ARM64 systems
• Windows Server build 1903 and 1909 - 32-bit, x64 and ARM64 systems

Mitigation Actions

Review the workaround guidance provided by the Microsoft Security Vulnerability. As always, we recommend our customers patch their systems as soon as possible. Upgrade Cortex XDR and Traps agents for protection against this vulnerability regardless of whether your systems have installed the relevant security update from Microsoft. For client mitigation, recommend creating an outbound firewall rule to block SMB outbound on public and private interfaces.   

Conclusion

Palo Alto Networks Cortex XDR and Traps provide protection against this vulnerability regardless of whether they are running on an unpatched instance of Microsoft Windows 10. Additionally, Palo Alto Networks offers multiple, additional complementary protections for this exploit.

• Cortex XDR and Traps can:
  • Stop the vulnerability exploit on unpatched Windows 10 systems. To gain protection, customers should ensure they are running the latest agent versions, specifically XDR agent 7.0.1 or later and Traps agent 6.1.5 or later.
  • To mitigate this vulnerability the latest XDR and Traps agents will deploy the following methods of protection
    • Per the recommendation from Microsoft, the agent will disable SMBv3 compression through the OS registry.
    • Prevents exploit attempts by monitoring for malicious network packets that leverage this SMB exploit technique. The admin will be able to review the relevant Behavioral Threat Protection (BTP) alert which will be triggered by a BTP rule named "bioc.cve_2020_0796".
• WildFire can stop the exploit with static signature detections.
• Next-Generation Firewalls will automatically stop sessions when this vulnerability is detected via the Palo Alto Networks IPS security solution, relevant Threat IDs are: 57778 and 57775.

As a member of the Microsoft Active Protections Program (MAPP) program, Palo Alto Networks received early details of the vulnerability, providing greater understanding of the threat, which helps us implement strong product coverage. As always, we recommend keeping your Microsoft products up to date with the latest patches to mitigate this vulnerability.

Palo Alto Networks will update this Threat Brief with new information and recommendations as they become available.