Microsoft releases patch for SMBv3 vulnerability

Microsoft has released a patch for the security vulnerability in Microsoft Server Message Block 3.1.1. Security researchers have now developed proof-of-concepts that demonstrate the potential for abuse.

Security update KB4551762 is a fix for the vulnerability labeled CVE-2020-0796 that Microsoft announced Tuesday to Wednesday, with few details at the time. The patch is available for versions 1903 and 1909 of Windows 10 and versions 1903 and 1909 of Windows Server Core installations. These are the vulnerable Windows versions. The company previously reported that as a workaround the SMBv3.1.1 compression can be turned off.

The vulnerability lies in the way Microsoft Server Message Block 3.1.1, the latest version of Microsoft’s SMB protocol, handles certain requests. When abused, this allows code execution on an SMB server or client. To do this, the attacker must send a malicious data packet to an SMBv3 server, or persuade a client to connect to a malicious SMBv3 server. Windows versions earlier than 1903 are not vulnerable because they do not support SMBv3.1.1 compression.

Bleeping Computer writes that several researchers have now written proof-of-concept code to demonstrate the possibilities of abuse. This is how Kryptos Logic shows a video of a denial-of-service exploit causing a blue screen while Sophos demonstrates a local privilege escalation exploit for increasing privileges. The demonstrations show that abuse is possible in practice.