Microsoft has issued an alert (ADV200005) regarding a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 that could give an attacker the ability to execute code on the target SMB Server or SMB client. It is reported that this vulnerability is “wormable.”
No patch is available yet, but Microsoft has provided guidance on a workaround to establish partial mitigation.
The following suggestions/guidance have been issued by Microsoft:
To block an unauthenticated attacker from exploiting this vulnerability on an SMBv3 server you can disable SMBv3 compression with the PowerShell command below:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Notes:
No reboot is needed after making the change.
This workaround does NOT prevent exploitation of SMB clients or exploitation by an authenticated attacker.
Disabling compression may affect performance. Testing is strongly advised before implementing this workaround.
You can disable the workaround with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force
Additional mitigation guidelines from Microsoft for protecting SMB clients can be found here.
Microsoft is strongly recommending that updates for this vulnerability be installed when they become available.