Critical remote unauthenticated vulnerability in SMBv3
Microsoft's implementation of SMBv3.1.1 is vulnerable to a pre-authentication remote code execution. This would allow complete takeover of machines that expose SMB services to the network, and means that the vulnerability is wormable – able to spread autonomously.
A similar vulnerability in SMBv1 was responsible for the spread of the WannaCry ransomware, and this could result in similar attacks if not patched.
Modern Windows systems running SMBv3.1.1. Versions affected:
- Windows 10 version 1903
- Windows 10 version 1909
- Windows Server version 1903
- Windows Server version 1909
What this means
To affect an SMB server, an attacker simply needs to be able to connect to the SMB server and send a specially crafted packet.
To affect a client, an attacker must convince a user to connect to a malicious file share.
What to look for
How to tell if you're at risk
If you are running one of the versions of Windows in the affected list, and have not applied the updates that were released on 13 March, then you are at risk.
Microsoft advisory External Link – includes patches
What to do
CERT NZ advises that you apply the patch relevant to your version of Windows 10 or Windows Server immediately to all systems.
If you are unable to apply the patch immediately, then CERT NZ advises that until you can patch the system, you:
- disable SMBv3 compression
- block TCP on port 445.