Windows SMBv3 Client/Server Information Disclosure Vulnerability [CVE-2020-1206]

CVE number – CVE-2020-1206

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.

The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.

Affected Platforms

• Microsoft Windows 10 – Versions 1903, 1909, and 2004
• Microsoft Windows Server 2019 – Versions 1903, 1909, and 2004 

Resolution

Microsoft released an update to address SMBleed as part of their standard monthly security releases. Affected organisations are encouraged to apply this update immediately. Organisations that cannot apply the update should consider Microsoft’s recommendation to disable SMB compression using the following PowerShell command:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force

Please note that this only prevents exploitation of the vulnerability against SMBv3 servers. Systems acting as SMBv3 clients will still be exposed.

Affected users should also consider blocking all inbound and outbound connections over TCP port 445 at their perimeter firewall. To help prevent the propagation of related attacks, inbound TCP port 445 connections can also be blocked using host-based firewalls.

Further information:

• CVE-2020-1206
• Microsoft Advisory KB4557957
• Microsoft Advisory KB4560960