Zero-day vulnerability in Microsoft SMBv3 allows remote code execution on Windows systems; no patch available

The bad news keeps coming for Microsoft. A report published by researchers of a cyber security course revealed that the tech giant accidentally revealed sensitive information about a zero-day vulnerability in the Microsoft Server Message Block (SMB) protocol.

The vulnerability, tracked as CVE-2020-0796, is a pre-remote code execution issue present in version 3.0 of the protocol that has not been corrected by the company despite having previously received the report.

According to members of the cyber security course, the flaw exists due to an error in the way SMBv3 manages compressed data packets created for malicious purposes. Threat actors could exploit the vulnerability to execute arbitrary code in the context of the target application. In this regard, security firm Fortinet published a report mentioning repeated attempts to exploit a buffer overflow vulnerability on CVE-2020-0796-related SMB servers.

The security firm also mentioned that the vulnerability affects any device running Windows 10 version 1903, Windows Server version 1903, Windows 10 version 1909, and Windows Server 1909, although the presence of the failure in other versions of the operating system. 

Reports on vulnerabilities in the SMB protocol are a constant concern for the community because, as cyber security course experts indicate, failures in this protocol were a key factor in the expansion of cybersecurity infections WannaCry and NotPetya ransomware a couple of years ago.

Microsoft eventually acknowledged the flaw this March 10, adding that malicious hackers could exploit it to perform remote code execution.

It is important to emphasize that there is not yet a solution available to fix this flaw. According to the International Institute of Cyber Security (IICS), an alternative solution to mitigate the risk of exploitation is to disable SMBv3 compression and block TCP port 455. 

To disable SMBv3 compression, exposed deployment administrators can follow these steps:

  • Go to: HKEY_LOCAL_MACHINE-System-CurrentControlSet-Services-LanManWorkstation-Parameters
  • Create a DWORD value
  • Set that value to “0”

The company is expected to have a fix ready for this bug in its next update package, so system administrators are advised to remain alert to any new information.