"EternalDarkness" - unpatched SMB v3 compression RCE bug details leaked
Microsoft has announced in its security advisory the details of a remote code execution vulnerability(RCE), tracked as (CVE-2020-0796) in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles connections that use compression.
This vulnerability has been named 'EternalDarkness' and 'SMBGhost', along the lines of the EternalBlue exploit that leveraged the SMB vulnerability to launch the 2017 WannaCry ransomware.
Affected products:
Product | Version |
Windows Server | Version 1903 (Server Core Installation) |
Windows Server | Version 1909 (Server Core Installation) |
Windows 10 | Version 1903 for 32-bit Systems |
Windows 10 | Version 1903 for ARM64-based Systems |
Windows 10 | Version 1903 for x64-based Systems |
Windows 10 | Version 1909 for 32-bit Systems |
Windows 10 | Version 1909 for ARM64-based Systems |
Windows 10 | Version 1909 for x64-based Systems |
Details on exploit:
Currently, there are no proof-of-concept (PoC) available. On successful exploitation the attacker could gain the ability to execute code on the target SMB Server or SMB Client. This vulnerability is wormable meaning that any future malware that exploits this vulnerability could propagate from one vulnerable computer to another in a similar way WannaCry did in 2017. As mentioned in the Microsoft security advisory ADV200005 , "To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it."
Workaround:
We will notify you once updates are available for this vulnerability. For the time being, you can follow the workaround described below to secure your affected systems:
Disable SMBv3 compression
Block inbound and outbound traffic on TCP port 445 on the perimeter firewall.
Here are the steps suggested in the Microsoft advisory to disable SMB v3:
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Notes:
No reboot is needed after making the change.
While this workaround will prevent exploitation of SMBv3 Server, it is important to note that SMBv3 Client will remain vulnerable until a patch is available and applied.
You can disable the workaround with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force