Threat Watch

Microsoft Issues Security Advisory for SMBv3

Microsoft has released a security advisory for a remote code execution vulnerability recently discovered with SMBv3, the protocol commonly used within businesses for file sharing. To exploit an SMB server, an unauthenticated attacker only needs to send a specially crafted request. Exploiting a client is harder, as it would require the client to connect to an attacker-controlled server. So far, Microsoft has not detected any exploitation attempts with this vulnerability. Further information about the vulnerability has not yet been made available.

ANALYST NOTES

Until updates are made available, Microsoft has offered a workaround for the issue. Servers can disable SMBv3 compression with a registry edit. The Powershell snippet will set the value:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
Please note that this command only protects SMB servers from attempts to exploit this vulnerability and will not protect clients. To re-enable SMBv3 compression, simply re-run the Powershell snippet while changing the “1” to a “0”. In most environments, external SMB file sharing is not necessary and should be blocked at the firewall. This could prevent clients from connecting to attacker-controlled servers.

Source: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005