1.漏洞公告
近日,微软官方更新发布了3月安全更新补丁和针对Windows 10/Server禁用SMBv3(SMB 3.1.1版本)协议压缩的指南公告,以此缓解SMBv3协议在处理调用请求时的一个远程执行代码漏洞,公告编号:ADV200005(暂未更新CVE-2020-0796页面),相关链接:
https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/ADV200005
根据公告,Windows 10/Server版本启用的SMBv3(SMB 3.1.1版本)协议压缩功能存在缓冲区溢出漏洞,成功利用此漏洞的恶意攻击者可以在目标SMB服务器或SMB客户端上达到执行代码效果,从而获取目标系统管理权限,建议尽快安装安全更新补丁或采取临时缓解措施加固系统。
2020年3月安全更新链接:
https://portal.msrc.microsoft.com/zh-CN/security-guidance/releasenotedetail/2020-Mar
在此次3月安全更新公告中,还包含多个安全漏洞,其中有个.LNK(快捷方式)相关的漏洞,CVE编号:CVE-2020-0684,此漏洞也是远程代码执行,恶意攻击者可以通过构造带有攻击代码的.LNK(快捷方式)投放到移动存储介质或远程共享,当用户打开移动存储介质或远程共享即会触发漏洞,成功利用此漏洞的恶意攻击者可以获得与本地用户相同的用户权限,相关链接:
https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2020-0684
2.影响范围
SMBv3(SMB 3.1.1版本)协议压缩代码执行漏洞影响以下系统:
Windows 10 Version 1903 for 32-bit Systems |
Windows 10 Version 1903 for ARM64-based Systems |
Windows 10 Version 1903 for x64-based Systems |
Windows 10 Version 1909 for 32-bit Systems |
Windows 10 Version 1909 for ARM64-based Systems |
Windows 10 Version 1909 for x64-based Systems |
Windows Server, version 1903 (Server Core installation) |
Windows Server, version 1909 (Server Core installation) |
CVE-2020-0684.LNK快捷方式代码执行漏洞影响以下系统:
Windows 10 for 32-bit Systems |
Windows 10 for x64-based Systems |
Windows 10 Version 1607 for 32-bit Systems |
Windows 10 Version 1607 for x64-based Systems |
Windows 10 Version 1709 for ARM64-based Systems |
Windows 10 Version 1709 for x64-based Systems |
Windows 10 Version 1803 for 32-bit Systems |
Windows 10 Version 1803 for ARM64-based Systems |
Windows 10 Version 1803 for x64-based Systems |
Windows 10 Version 1809 for 32-bit Systems |
Windows 10 Version 1809 for ARM64-based Systems |
Windows 10 Version 1809 for x64-based Systems |
Windows 10 Version 1903 for 32-bit Systems |
Windows 10 Version 1903 for ARM64-based Systems |
Windows 10 Version 1903 for x64-based Systems |
Windows 10 Version 1909 for 32-bit Systems |
Windows 10 Version 1909 for ARM64-based Systems |
Windows 10 Version 1909 for x64-based Systems |
Windows 7 for 32-bit Systems Service Pack 1 |
Windows 7 for x64-based Systems Service Pack 1 |
Windows 8.1 for 32-bit systems |
Windows 8.1 for x64-based systems |
Windows RT 8.1 |
Windows Server 2008 for 32-bit Systems Service Pack 2 |
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) |
Windows Server 2008 for Itanium-Based Systems Service Pack 2 |
Windows Server 2008 for x64-based Systems Service Pack 2 |
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) |
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) |
Windows Server 2012 |
Windows Server 2012 (Server Core installation) |
Windows Server 2012 R2 |
Windows Server 2012 R2 (Server Core installation) |
Windows Server 2016 |
Windows Server 2016 (Server Core installation) |
Windows Server 2019 |
Windows Server 2019 (Server Core installation) |
Windows Server, version 1803 (Server Core Installation) |
Windows Server, version 1903 (Server Core installation) |
Windows Server, version 1909 (Server Core installation) |
3.漏洞描述
根据分析,SMBv3协议压缩功能在SMB 3.1.1版本中启用,主要启用的操作系统是Windows 10/Server1903以上版本,相关参考:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/4287490c-602c-41c0-a23e-140a1f137832
协议同时启用于SMB服务端或SMB客户端,因此可以针对服务端和客户端分别进行攻击,针对SMB服务端的漏洞利用,未经身份验证的恶意攻击者可以将攻击数据包发送到目标SMBv3服务器,针对SMB客户端的漏洞,未经身份验证的恶意攻击者可以通过配置恶意的SMBv3服务器,并诱使用户连接到该服务器进行攻击。
关于CVE-2020-0684:恶意攻击者可能通过该漏洞对受影响版本的Windows系统用户进行恶意钓鱼攻击,从而达到获取用户Windows主机的命令执行权限的目的。
建议尽快安装安全更新补丁或采取临时缓解措施加固系统。
4.缓解措施
高危:目前漏洞细节和利用代码暂未公开,但可以通过补丁对比方式定位漏洞触发点并开发漏洞利用代码,建议及时测试安全更新补丁并应用安装,或采取临时缓解措施加固系统。
临时缓解措施:
通过PowerShell命令禁用SMBv3压缩功能,以阻止未经身份验证的恶意攻击者对SMBv3服务端的漏洞利用。
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' DisableCompression -Type DWORD -Value 1 -Force
执行此操作无需重启系统,但对SMBv3客户端的无效,取消禁用可以执行以下命令:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' DisableCompression -Type DWORD -Value 0 -Force
另外,根据实际情况(漏洞细节和代码公开了的情况下出现的蠕虫爆发)可以考虑临时阻断TCP 445端口。
