"EternalDarkness" - unpatched SMB v3 compression RCE bug details leaked

Microsoft has announced in its security advisory the details of a remote code execution vulnerability(RCE), tracked as (CVE-2020-0796) in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles connections that use compression.

This vulnerability has been named 'EternalDarkness' and 'SMBGhost', along the lines of the EternalBlue exploit that leveraged the SMB vulnerability to launch the 2017 WannaCry ransomware.

Affected products:

Product	Version
Windows Server	Version 1903 (Server Core Installation)
Windows Server	Version 1909 (Server Core Installation)
Windows 10	Version 1903 for 32-bit Systems
Windows 10	Version 1903 for ARM64-based Systems
Windows 10	Version 1903 for x64-based Systems
Windows 10	Version 1909 for 32-bit Systems
Windows 10	Version 1909 for ARM64-based Systems
Windows 10	Version 1909 for x64-based Systems

Details on exploit:

Currently, there are no proof-of-concept (PoC) available. On successful exploitation the attacker could gain the ability to execute code on the target SMB Server or SMB Client. This vulnerability is wormable meaning that any future malware that exploits this vulnerability could propagate from one vulnerable computer to another in a similar way WannaCry did in 2017. As mentioned in the Microsoft security advisory ADV200005

, "To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it."

Workaround:

We will notify you once updates are available for this vulnerability. For the time being, you can follow the workaround described below to secure your affected systems.

Disable SMBv3 compression:

Here are the steps suggested in the Microsoft advisory to disable SMB v3:

You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Notes:

No reboot is needed after making the change.
While this workaround will prevent exploitation of SMBv3 Server, it is important to note that SMBv3 Client will remain vulnerable until a patch is available and applied.

You can disable the workaround with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

Block inbound and outbound traffic on TCP port 445:

TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from Internet-based attacks that originate outside the enterprise perimeter. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

To prevent systems from attacks from within enterprise perimeter:

Navigate to the Threats> Misconfigurations in the Vulnerability Manager Plus console.
Look for "Inbound connection in port 445 (TCP) is not blocked in Windows firewall" and click on Deploy secure configuration.

This will ensure port TCP 445 is disabled in all your affected machines. However, execute this procedure at your own discretion since some of your network operations might be dependent on TCP 445.