Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client.
To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
- 3/12/20 fixed typo with rule direction in step 2 thanks to @TechGrlTweeter
- 3/12/20 Microsoft has patched the issue. Details here. Ned Pyle also confirmed that the mitigation to disable SMB compression would have no impact on SMB operations; the feature is not yet live.
- Full Report
- Defender Signature
There are two problems:
- Windows 2019 SMB Servers are vulnerable to RCE
- Windows 10 clients are vulnerable when they connect to an attacker SMB service (Phishing etc).
Problem 1 - Servers
Use group policy to disable SMB Compression on Windows 2019 Servers.
1) Create new Group Policy linked to Servers OU(s)
2) Apply WMI filter to the empty GPO:
root\CIMv2
Query: Select BuildNumber from Win32_OperatingSystem WHERE BuildNumber >= 18300
3) Edit the GPO:
Computer Configuration > Preferences > Registry
Create new registry GPP item:
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Value Name: Disable Compression
Value Type: REG_DWORD
Value Data: 1
Done.
Screenshots (in case they are useful to you):
WMI Query for 2019 Servers (thanks Tyler!):
Full GPO:
Problem 2 - Clients
Goal: Prevent your clients from being tricked into talking to a malicious SMB server while retaining access to corporate SMB services.
1) Create a new GPO linked to Workstations OU(s)
2) Navigate to Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Outbound Rules
3) New Outbound Rule:
Rule Type: Port
Protocols and Ports: TCP, Specific Ports: 139,445
Action: Block the connection
Profile: Private, Public (Not Domain)
Name: DENY TCP 139,445 OUTBOUND when off Domain Network
Done.
There is an extra step you can take for telemetry/logging L2TP connections though:
4) Open the Outbound Rule you just created. Navigate to the “Advanced” tab. On Interface Types click Customize. Un-check the “Remote Access” interface type.
Done.
Note: It’s recommended to have SMB (TCP 139,445) blocked inbound to workstations as a security baseline. Highly recommended if you can make it work with your business. The workstations still act as SMB ‘servers’ in the context of this vulnerability. If you can’t, you’ll need to apply the server rules to the workstations as well.
Screenshots (in case they are useful to you):
General tab of FW rule:
Ports and Protocols:
Allow Domain Network SMB:
Allow L2TP connection SMB (inside advanced tab):
Full rule:
