9:30am, 13 March 2020
TLP Rating:
Critical remote unauthenticated vulnerability in SMBv3
Microsoft's implementation of SMBv3.1.1 is vulnerable to a pre-authentication remote code execution. This would allow complete takeover of machines that expose SMB services to the network, and means that the vulnerability is wormable – able to spread autonomously.
A similar vulnerability in SMBv1 was responsible for the spread of the WannaCry ransomware, and this could result in similar attacks if not patched.
What's happening
Systems affected
Modern Windows systems running SMBv3.1.1. Versions affected:
- Windows 10 version 1903
- Windows 10 version 1909
- Windows Server version 1903
- Windows Server version 1909
What this means
To affect an SMB server, an attacker simply needs to be able to connect to the SMB server and send a specially crafted packet.
To affect a client, an attacker must convince a user to connect to a malicious file share.
What to look for
How to tell if you're at risk
If you are running one of the versions of Windows in the affected list, and have not applied the updates that were released on 13 March, then you are at risk.
Microsoft advisory External Link – includes patches
What to do
Prevention
CERT NZ advises that you apply the patch relevant to your version of Windows 10 or Windows Server immediately to all systems.
If you are unable to apply the patch immediately, then CERT NZ advises that until you can patch the system, you:
- disable SMBv3 compression
- block TCP on port 445.
Security patches for affected systems External Link - Microsoft
More information
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.