Critical remote unauthenticated vulnerability in SMBv3

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

9:30am, 13 March 2020

TLP Rating: Clear

Critical remote unauthenticated vulnerability in SMBv3

Microsoft's implementation of SMBv3.1.1 is vulnerable to a pre-authentication remote code execution. This would allow complete takeover of machines that expose SMB services to the network, and means that the vulnerability is wormable – able to spread autonomously.

A similar vulnerability in SMBv1 was responsible for the spread of the WannaCry ransomware, and this could result in similar attacks if not patched.

What's happening

Systems affected

Modern Windows systems running SMBv3.1.1. Versions affected:

  • Windows 10 version 1903
  • Windows 10 version 1909
  • Windows Server version 1903
  • Windows Server version 1909

What this means

To affect an SMB server, an attacker simply needs to be able to connect to the SMB server and send a specially crafted packet.

To affect a client, an attacker must convince a user to connect to a malicious file share.

What to look for

How to tell if you're at risk

If you are running one of the versions of Windows in the affected list, and have not applied the updates that were released on 13 March, then you are at risk.

Microsoft advisory External Link – includes patches

What to do

Prevention

CERT NZ advises that you apply the patch relevant to your version of Windows 10 or Windows Server immediately to all systems.

If you are unable to apply the patch immediately, then CERT NZ advises that until you can patch the system, you:

  • disable SMBv3 compression
  • block TCP on port 445.

Security patches for affected systems External Link - Microsoft

More information

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384