News

Windows SMB 3 Flaw Gets Out-of-Band Security Patch

• By Kurt Mackie
• 03/12/2020

Windows systems susceptible to a "Critical"-rated vulnerability in Server Message Block (SMB) 3.1.1 got out-of-band patches from Microsoft this week, according to Microsoft's "out-of-band" security bulletin on Thursday.

The bulletin offers guidance on vulnerability CVE-2020-0796, which could lead to possible remote code execution attacks on 1903 and 1909 versions of Windows 10 clients and Windows Server. Older Windows versions aren't affected. Microsoft has now made the patches for this vulnerability available for download from the Microsoft Update Catalog.

Affected organizations that have already installed Microsoft's March security updates, released on Tuesday, would need to apply these patches.

"Customers who have already installed the updates released on March 10, 2020 for the affected operating systems should install KB4551762 to be protected from this vulnerability," the security bulletin clarified.

The security bulletin also included a workaround for disabling SMB 3 compression to address the vulnerability. However, it added a note that "in all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place."

Out of Band
Microsoft just missed including these patches in its March security patch bundle that was released on March 10 (hence, the "out-of-band" term). Instead, Microsoft just issued a security advisory about it on that date, which had only included a workaround (no patches). CVE-2020-0796's existence, though, had been publicized briefly by a couple of Microsoft's security partners.

Earlier (and subsequently deleted) descriptions by Microsoft's partners had suggested that this vulnerability was subject to "wormable" exploits. Possibly, the vulnerability was representative of past wormable outbreaks, such as an SMB 1 flaw that had enabled the WannaCry malware to spread almost three years ago. However, Microsoft's publications don't appear to use such "wormable" language.

Microsoft's security bulletin gave this vulnerability a Common Vulnerability Scoring System ranking of 10 ("Base"), which is at the top of the risk scale. CVE-2020-0796 has been publicly disclosed, but it hasn't been exploited as yet, per Microsoft's bulletin.

In a related matter, Microsoft provided guidance on securing SMB traffic in this support article, which offers details on blocking Port 445 use.

Test It
Susan Bradley, a Microsoft Most Valuable Professional and patch expert, suggested that IT pros consider first testing Microsoft's optional patches for the SMB 3 vulnerability at this point before rolling it out across a production network.

"At this time I'm not seeing active attacks and NO ONE should be STUPID enough to have port 445 a SMB file sharing port open to the web," Bradley wrote regarding the SMB 3 vulnerability in an AskWoody blog post. "So I'm still in don't panic, don't install and let's test mode."