Critical SMBv3 Vulnerability Leaked: Microsoft Patch and Mitigations

Update 03/12/20: Microsoft has updated its security advisory and released a patch for CVE-2020-0796 Windows 10 and Windows Server 1903 / Server 1909: 

Microsoft released patches for 155 vulnerabilities on March 2020 Patch Tuesday but there was one notable absence. A patch was not released for a critical Server Message Block (SMBv3) vulnerability, tracked as CVE-2020-0796. Both Fortinet and Cisco Talos published blogs summarizing the vulnerability ahead of the Patch Tuesday release buy no patch was released by Microsoft. It appears that information was shared with both companies and the blog posts were published on the understanding that a patch would be released. It was not, however, ready in time. Those blog posts have been removed (Cisco Talos) and updated (Fortinet).

SMB is a network file sharing protocol that allows client machines to access files on a server. The bug in question is due to how the SMBv3 protocol handles certain requests. If an unauthenticated attacker were to send a specially crafted packet to a vulnerable server, it would be possible to execute arbitrary code and gain full control of the server. The vulnerability is also wormable. If an exploit was combined with a worm, it would be possible to move laterally and gain control of other vulnerable devices on the network in a similar fashion to the vulnerability MS17-010 that was exploited in the WannaCry attacks.

In contrast to MS17-010, few details about the bug have been published and no exploit code has been released, so there is no imminent threat and exploitation attempts are not expected to start soon. Also, according to Fortinet, the buffer overflow vulnerability only affects Windows 10 v1903, Windows10 v1909, Windows Server v1903, and Windows Server v1909. However, since SMBv3 was introduced with Windows 8 and Windows Server 2012, those operating systems may also be affected.

Fortinet described it as a maximum severity vulnerability and since enough information has been released to at least get threat actors searching for the flaw, it is strongly advisable to take steps to prevent exploitation until a patch is released by Microsoft.

Cisco recommended in its now removed blog post to disable SMBv3 compression and block TCP port 445 on firewalls and client computers. The same advice has been published by Microsoft in a recent security advisory.

You can disable SMBv3 compression with the following PowerShell command. No reboot is required.

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force

Disabling SMBv3 compression will not protect exploitation on SMB clients and blocking port 445 would not protect against exploitation from within the enterprise firewall, but the measures will allow organizations to reduce the risk of exploitation until a patch is released.

Microsoft says in its security advisory, “To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.” That means the best protection until the patch is released is to disable SMB entirely.

No timescale has been released for the patch but, due to the severity of the flaw, Microsoft is unlikely to wait until April Patch Tuesday and an out-of-cycle patch is expected. Microsoft’s advice is to ensure the patch is applied as soon as it is released.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of