ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ADV200005 | Server Message Block 3.1.1 (SMBv3) Vulnerability & Workaround

    Scheduled Pinned Locked Moved IT Discussion
    smbv3vulnerabilitymitigationworkaround
    2 Posts 2 Posters 396 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ObsolesceO
      Obsolesce
      last edited by Obsolesce

      ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression

      Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

      To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

      Workarounds

      The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place:

      Disable SMBv3 compression

      You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

      Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

      Notes:

      1. No reboot is needed after making the change.
      2. This workaround does not prevent exploitation of SMB clients.

      You can disable the workaround with the PowerShell command below.

      Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

      PhlipElderP 1 Reply Last reply Reply Quote 0
      • PhlipElderP
        PhlipElder @Obsolesce
        last edited by

        @Obsolesce said in ADV200005 | Server Message Block 3.1.1 (SMBv3) Vulnerability & Workaround:

        ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression

        Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.

        To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

        Workarounds

        The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place:

        Disable SMBv3 compression

        You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

        Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

        Notes:

        1. No reboot is needed after making the change.
        2. This workaround does not prevent exploitation of SMB clients.

        You can disable the workaround with the PowerShell command below.

        Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

        Keep in mind that the vulnerability is only listed for Windows 10 1903 and up and Windows Server Semi-Annual Channel 1903 and up.

        Folks should have inbound file/print turned off at user endpoints via Group Policy anyway so that eliminates that vector.

        We don't deploy containers so no Server SAC anywhere in our stable.

        1 Reply Last reply Reply Quote 0
        • 1 / 1
        • First post
          Last post