Select Page

[Overview]

The SMB protocol is a network sharing protocol used in Microsoft Windows, and is often used to share files and printers within a local area network; SMBv3 is version 3 of SMB. Recently, Microsoft announced an SMBv3 remote code execution vulnerability. At present, Microsoft has released a security patch to fix the vulnerability. Meanwhile, Hillstone Networks has released signatures against this vulnerability. It is recommended that users patch or upgrade the intrusion detection signature database of network security devices in time for protection. Check our SMBGhost Analysis white paper to learn more.

Download White Paper Now

[Vulnerability Details]

CVE-2020-0796: This is a memory corruption vulnerability targeting SMB server/client, which is a serious remote code execution vulnerability. Hackers can use this vulnerability to execute arbitrary code on the target SMB server or SMB client.

The client-side vulnerability occurred in mrxsmb.sys. The server-side vulnerability occurred in srv2.sys. SMB did not properly handle the compressed data packet nor use the length passed by the client for the data packet decompression without checking whether the length is legal, thereby causing an integer overflow.

Vulnerability Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0796

[Severity]

High

[Affected Versions]

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for x64-basedSystems
  • Windows 10 Version 1903 for ARM64-basedSystems
  • Windows Server, version 1903 (Server Core installation)
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for x64-basedSystems
  • Windows 10 Version 1909 for ARM64-basedSystems
  • Windows Server, version 1909 (Server Core installation)

[Suggestions]

  • Update the official fixes to avoid being affected by the vulnerability
  • If it cannot be updated immediately, temporary mitigation measures should be taken:
    • Disable SMBv3 compression; use PowerShell commands to disable compression to prevent unauthenticated attackers from exploiting the vulnerability of the SMBv3 server.
    • Close port 445
    • The network security device should upgrade the intrusion detection signature database.

[Hillstone Networks Solutions]

Hillstone Networks has added this threat behavior to the signature list, Signature Database Version: 2.1.341. By deploying Hillstone Networks NIPS, NGFW, CloudEdge, CloudHive, or sBDS, the SMBv3 Protocol Remote Code Execution vulnerability can be quickly detected and effectively intercepted, preventing the server from being attacked.

Threat Events Detected by Hillstone Solutions

Vulnerability Detail Description

Hillstone NGFWs Recognized for 8th Straight Year in Gartner® Magic Quadrant™, Named as a “Visionary”

Hillstone Networks Wins 2021 CybersecAsia Readers’ Choice Award

ZTNA: A Better Way to Control Access, Boost Security

Hillstone sBDS V3.4 Extends Supplementary Detection Capabilities

Kudos to the Hillstone Security Research Team for Being Acknowledge by Microsoft for Vulnerability Discovery

Hillstone Releases iSource, an Extended Detection and Response Platform

Hillstone’s A200W streamlines deployment of cost-effective perimeter solution

Endpoint Detection and Response: Getting from Good to Great

ADC V2.9 delivers traffic and balances links at an unprecedented level