A recent out-of-band patch from Microsoft resolves a vulnerability in how of Windows 10 and Server 2019 handle decompression in the file sharing protocol SMBv3. According to Microsoft, a successful exploit of this vulnerability by an attacker could enable remote code execution over a network using SMB. More specifically, an unauthenticated attacker could send a crafted message to a server and take over the server. The attacker could also send a message to a client and if the user accepted this connection then the attacker could have remote code execution on the client side. Microsoft didn’t release any further details on the vulnerability, but did list the vulnerable OS configurations.
Microsoft may have mixed up their release dates for this particular fix. Normally, Microsoft releases security fixes on the second Tuesday of every month, known as “patch Tuesday.” The fix for this vulnerability wasn’t originally included in this month’s patch roundup, but it appears that Microsoft inadvertently released details on the vulnerability on Tuesday anyway, forcing them to put out the fix with an emergency patch two days later. We suspect it wouldn’t take long for an attacker to inspect what changed in SMB 3.1.1 to identify the vulnerability and build a workable exploit. Microsoft likely released the patch now to mitigate the release of details on the vulnerability.
This vulnerability only effects Windows 1909 and 1903 using SMB 3.1.1 with compression. While updating Windows to install the patch fixed the vulnerability, you can also edit the registry to disable the compression used with SMB. We don’t see any reason to use the registry edit though since Microsoft released the update, except when an immediate restart is not possible. The update requires a restart and the registry edit doesn’t. If you can’t restart now, edit the registry through PowerShell then update as soon as you can.
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
After patching your systems, you can reenable SMB compression.
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force
Security researchers continue to fine vulnerabilities in the SMB protocol. Only trusted network connections should allow SMB access (port445) and where possible restrict SMB access. Never allow SMB access from the external Internet.