As I reported last week, as part of March’s Patch Tuesday, Microsoft released a security advisory detailing a remote code execution (RCE) bug that it was aware of in Server Message Block (SMB) version 3.1.1. SMB is the protocol Windows uses for shared network access to file servers, printers, and serial ports. An attacker could exploit the way SMBv3 handles requests to run code on a target SMB Server or SMB Client. Microsoft said:
To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
At the time, Microsoft alleged the flaw hadn’t been publicly exploited or disclosed but that SMB Servers could be protected by disabling SMBv3 compression. But the workaround didn’t protect SMBv3 Clients. The flaw affects Windows 10 versions 1903 and 1909, and the respective Windows Server releases. You can read the original security advisory here.
Just prior to Microsoft releasing updates for Patch Tuesday on March 10th, Cisco Talos and Fortinet published short summaries of the vulnerability on their websites. Fortinet said on its website that the flaw was a ‘buffer overflow vulnerability’ in the SMB Server component of Windows. Cisco Talos added that the flaw left systems vulnerable to ‘wormable’ attack. Wormable means that the bug could be used to move laterally from one device to another. Much in the same way that WannaCry and NotPetya were able to infect thousands of systems around the world in 2017. Although for the time being, there is no known code in the wild exploiting this vulnerability.
Nevertheless, Microsoft was quick to act. March 12th Microsoft released a cumulative update for Windows 10 1903, 1909, and Windows Server 1903 and 1909. Because Windows Server 2016 and Windows Server 2019 were released under the Semi-Annual Channel (SAC), they are not affected by this vulnerability. Older versions of Windows are also not affected because they don’t support SMB compression.
In the release notes for KB4551762, Microsoft says that while newer versions of Windows support SMB compression, it is not yet used by Windows. So, disabling support has no negative impact on performance. It’s not clear whether the latest patch disables SMB compression or makes changes to the SMB protocol to mitigate the issue. Either way, the patch shouldn’t impact performance or functionality. But like any major update, you should test it thoroughly before deploying it to production systems.
The update is available via the usual channels: Windows Update and Microsoft Update; Microsoft Update Catalog; Windows Server Update Services (WSUS). The Microsoft Update Catalog can be used to download the update as a standalone package. Organizations using WSUS will see the updated synchronized automatically if product category Windows 10, version 1903 and later security updates are enabled.