Microsoft Remote Code Execution Vulnerability
Microsoft Advisory ADV200005 published March 10th, 2020. The vulnerability impacts the compression built in SMBv3.
Microsoft’s CVE page is blank at the time of writing. Mitre’s CVE page is blank as well. Hopefully those links go live soon.
As per the advisory this is unauthenticated remote code execution of a network service. There isn’t a higher threat than this category.
From the advisory: Open powershell as Admin:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
This command will disable and mitigate the concern. It will need to be run against all of your Windows servers and workstations.
Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place.
Unfortunately no patches are available at this time.
How to check if you’re vulnerable:
nmap --script smb-protocols -p445 localhost
You are looking to see if you have Protocol 3.11
You may see versions: 2.02, 2.10, 3.00, 3.02 for example. 3.11 appears to be the affected version.
Update March 12th:
The patch is out:
https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762