{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-014.pdf"
    },
    "title": "UPDATE: SMBv3 - Critical Remote Code Execution Vulnerability",
    "serial_number": "2020-014",
    "publish_date": "11-03-2020 12:28:00",
    "description": "On the 10th of March 2020, Microsoft released a security advisory for a remote code execution vulnerability affecting Microsoft Server Message Block 3.1.1 (SMBv3) protocol. An \"unauthenticated\" attacker who successfully exploited the vulnerability could \"execute code\" on a target \"SMB Server or SMB Client\". The vulnerability is referenced as CVE-2020-0796.",
    "url_title": "2020-014",
    "content_markdown": "---\ntitle: 'SMBv3 -- Critical Remote Code Execution Vulnerability'\nversion: '1.1'\nnumber: '2020-014'\ndate: 'March 13, 2020'\n---\n\n_History:_\n\n* _11/03/2020 --- v1.0 -- Initial publication_\n* _13/03/2020 --- v1.1 -- Update with information about the patch available_\n\n# Summary\n\nOn the 10th of March 2020, Microsoft released a security advisory for a remote code execution vulnerability affecting Microsoft Server Message Block 3.1.1 (SMBv3) protocol [1]. An **unauthenticated** attacker who successfully exploited the vulnerability could **execute code** on a target **SMB Server or SMB Client**. The vulnerability is referenced as CVE-2020-0796.\n\nMicrosoft re-released this month's Patch Tuesday security update to fix this vulnerability [4].\n\n# Technical Details\n\nThe vulnerability can be exploited in two different ways:\n\n* by sending a specially crafted packet to a targeted SMBv3 server,\n* by convincing a user to connect to a malicious SMBv3 server.\n\nMicrosoft has not disclosed the technical information on the vulnerability, however, based on the workaround provided by Microsoft [1], the vulnerability appears to be linked to handling of compressed data packets.\n\nFortiGuard Labs also released an IPS rule describing the vulnerability as being related to a Buffer Overflow [2]. According to FortiGuard Labs, _the vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet_.\n\nMore technical details have now been provided in [5].\n\n# Products Affected\n\n* Windows 10 Version 1903 for 32-bit Systems\n* Windows 10 Version 1903 for ARM64-based Systems\n* Windows 10 Version 1903 for x64-based Systems\n* Windows 10 Version 1909 for 32-bit Systems\n* Windows 10 Version 1909 for ARM64-based Systems\n* Windows 10 Version 1909 for x64-based Systems\n* Windows Server, version 1903 (Server Core installation)\n* Windows Server, version 1909 (Server Core installation)\n\n# Recommendations\n\nMicrosoft has released a patch for this vulnerability [4]. It is strongly advised to apply the security update **KB4551762** from Microsoft to fix this vulnerability as soon as possible.\n\n\n# References\n\n[1] <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005>\n\n[2] <https://fortiguard.com/encyclopedia/ips/48773>\n\n[3] <https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>\n\n[4] <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796>\n\n[5] <https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>11/03/2020 --- v1.0 -- Initial publication</em></li><li><em>13/03/2020 --- v1.1 -- Update with information about the patch available</em></li></ul><h2 id=\"summary\">Summary</h2><p>On the 10th of March 2020, Microsoft released a security advisory for a remote code execution vulnerability affecting Microsoft Server Message Block 3.1.1 (SMBv3) protocol [1]. An <strong>unauthenticated</strong> attacker who successfully exploited the vulnerability could <strong>execute code</strong> on a target <strong>SMB Server or SMB Client</strong>. The vulnerability is referenced as CVE-2020-0796.</p><p>Microsoft re-released this month's Patch Tuesday security update to fix this vulnerability [4].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability can be exploited in two different ways:</p><ul><li>by sending a specially crafted packet to a targeted SMBv3 server,</li><li>by convincing a user to connect to a malicious SMBv3 server.</li></ul><p>Microsoft has not disclosed the technical information on the vulnerability, however, based on the workaround provided by Microsoft [1], the vulnerability appears to be linked to handling of compressed data packets.</p><p>FortiGuard Labs also released an IPS rule describing the vulnerability as being related to a Buffer Overflow [2]. According to FortiGuard Labs, <em>the vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet</em>.</p><p>More technical details have now been provided in [5].</p><h2 id=\"products-affected\">Products Affected</h2><ul><li>Windows 10 Version 1903 for 32-bit Systems</li><li>Windows 10 Version 1903 for ARM64-based Systems</li><li>Windows 10 Version 1903 for x64-based Systems</li><li>Windows 10 Version 1909 for 32-bit Systems</li><li>Windows 10 Version 1909 for ARM64-based Systems</li><li>Windows 10 Version 1909 for x64-based Systems</li><li>Windows Server, version 1903 (Server Core installation)</li><li>Windows Server, version 1909 (Server Core installation)</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Microsoft has released a patch for this vulnerability [4]. It is strongly advised to apply the security update <strong>KB4551762</strong> from Microsoft to fix this vulnerability as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005\">https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://fortiguard.com/encyclopedia/ips/48773\">https://fortiguard.com/encyclopedia/ips/48773</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections\">https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796\">https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html\">https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}