10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka ‘Windows SMBv3 Client/Server Remote Code Execution Vulnerability’.
Recent assessments:
jorgeorchilles at March 11, 2020 1:19pm UTC reported:
SMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered “wormable”. Microsoft did not release a patch in March 2020 Patch Tuesday.Update 3/12/2020: Microsoft released an out of band patch
Microsoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: “CVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.”
Microsoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005>
“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
CERT followed: <https://www.kb.cert.org/vuls/id/872016/>
This issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.
Impacted systems must run SMB v3.11. Compression is enabled by default.
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Method to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>
Disable SMBv3 compression via registry as specified in ADV200005.
Server: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
Client: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force
Microsoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>
zeroSteiner at April 15, 2020 4:10pm UTC reported:
SMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered “wormable”. Microsoft did not release a patch in March 2020 Patch Tuesday.Update 3/12/2020: Microsoft released an out of band patch
Microsoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: “CVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.”
Microsoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005>
“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
CERT followed: <https://www.kb.cert.org/vuls/id/872016/>
This issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.
Impacted systems must run SMB v3.11. Compression is enabled by default.
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Method to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>
Disable SMBv3 compression via registry as specified in ADV200005.
Server: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
Client: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force
Microsoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>
FULLSHADE at April 21, 2020 3:50am UTC reported:
SMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered “wormable”. Microsoft did not release a patch in March 2020 Patch Tuesday.Update 3/12/2020: Microsoft released an out of band patch
Microsoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: “CVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.”
Microsoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005>
“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
CERT followed: <https://www.kb.cert.org/vuls/id/872016/>
This issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.
Impacted systems must run SMB v3.11. Compression is enabled by default.
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Method to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>
Disable SMBv3 compression via registry as specified in ADV200005.
Server: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
Client: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force
Microsoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>
brettsec at March 10, 2020 9:16pm UTC reported:
SMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered “wormable”. Microsoft did not release a patch in March 2020 Patch Tuesday.Update 3/12/2020: Microsoft released an out of band patch
Microsoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: “CVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.”
Microsoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005>
“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
CERT followed: <https://www.kb.cert.org/vuls/id/872016/>
This issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.
Impacted systems must run SMB v3.11. Compression is enabled by default.
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Method to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>
Disable SMBv3 compression via registry as specified in ADV200005.
Server: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
Client: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force
Microsoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>
busterb at March 15, 2020 12:19pm UTC reported:
SMBv3.11 has a buffer overflow vulnerability when compression is enabled (default value). Windows 10 and Server use SMBv3.11 and the service runs as SYSTEM. Successful exploitation will result in remote code exection, with SYSTEM privileges. This is considered “wormable”. Microsoft did not release a patch in March 2020 Patch Tuesday.Update 3/12/2020: Microsoft released an out of band patch
Microsoft pulled the patch for CVE-2020-0796 from March 2020 Patch Tuesday at the last minute and some information was leaked by Cisco Talos but then deleted from their post. A screenshot I took states: “CVE-2020-0796 is a remote code execution vulnerability in Microsoft Server Message Block 3.0 (SMBv3). An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to.”
Microsoft then released an advisory with more information: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005>
“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”
CERT followed: <https://www.kb.cert.org/vuls/id/872016/>
This issue affects both SMB client and server that have SMBv3 Compression enabled. Remote code execution is possible pre-authentication from the network. CVSSv3 of 10. SMB runs with SYSTEM privileges.
Impacted systems must run SMB v3.11. Compression is enabled by default.
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Method to identify if SMB v3.11 is running and therefore vulnerable, given no patch, is possible through nmap: <https://gist.github.com/nikallass/40f3215e6294e94cde78ca60dbe07394>
Disable SMBv3 compression via registry as specified in ADV200005.
Server: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
Client: Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force
Microsoft released an out of band patch: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 2
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%