The information below was sent to U-M IT groups on March 13, 2020. It is intended for U-M IT staff who are responsible for university devices or servers running Windows 10, versions 1903 or 1909, or Server Core installations of Windows Server, versions 1903 or 1909. It is also intended for individuals who use Windows 10 on their own computers.
Summary
A vulnerability has been discovered in Windows 10 and Windows Server 2019 that could allow for remote code execution. Microsoft has released updates, which should be applied as soon as possible after appropriate testing.
Problem
There is a critical vulnerability in Microsoft Server Message Block (SMB). SMB is a network file sharing protocol in Windows 10 and Windows Server 2019, which lets Windows communicate with devices such as printers and file servers on networks and across the internet. A successful exploit of the SMB bug could allow an attacker to remotely run malicious code on any vulnerable computer.
Affected Versions
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
Action Items
Apply the updates provided by Microsoft as soon as possible after appropriate testing. The need for immediate action requires an expedited timeframe that supersedes the remediation timeframes in Vulnerability Management (DS-21).
If the updates from Microsoft cannot be applied after testing them, implement the following mitigations as soon as possible: Disable compression to block unauthenticated attackers from exploiting the vulnerability, as detailed in Microsoft Guidance for Disabling SMBv3 Compression.
Technical Details
This vulnerability in Microsoft SMB could allow for remote code execution. This is due to an error in handling maliciously crafted compressed data packets within version 3.1.1 of SMB. To exploit this vulnerability, an attacker can send specially crafted compressed data packets to a target Microsoft SMB 3.0 (SMBv3) server. Clients who connect to the malicious SMB server would also be impacted.
How We Protect U-M
- Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- IA provides vulnerability management guidance to the university.
- ITS updates MiWorkspace and MiServer managed machines as soon as possible after appropriate testing.
Information for Users
MiWorkspace machines will be updated as soon as possible. Additional mitigations are already in place on MiWorkspace systems that reduce the potential impact of this vulnerability. If you have Windows 10 installed on your own computer that is not managed by the university, update to the latest version as soon as possible. It is best to set Windows to update automatically.
MiServer customers that manage the operating system on their MiServer systems may need to apply fixes for this vulnerability if they use the vulnerable versions of Windows. The managed OS MiServer systems do not run the versions of Windows that are vulnerable to exploitation of CVE-2020-0796.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact info-assurance@umich.edu.
References
- March 12, 2020—KB4551762 (OS Builds 18362.720 and 18363.720) (Microsoft Updates, 3/12/20)
- A Vulnerability in Microsoft Windows SMB Server Could Allow for Remote Code Execution (CVE-2020-0796) (Center for Internet Security, 3/12/20)
- 48K Windows Hosts Vulnerable to SMBGhost CVE-2020-0796 RCE Attacks (Bleeping Computer, 3/12/20)
- Microsoft releases emergency patch for ‘leaked’ Windows 10 security bug (Tech Crunch, 3/12/20)
- CVE-2020-0796: "Wormable" Remote Code Execution Vulnerability in Microsoft Server Message Block SMBv3 (ADV200005) (Tenable, 3/10/20)
- Microsoft Guidance for Disabling SMBv3 Compression (Microsoft Security Advisory, 3/10/20)