CVE-2020-0796: Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Overview

Severity: Critical (CVSS 10)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Category: Remote Code Execution
Exploit Status: Not Exploited
Exploitation Likelihood: More Likely
Publicly Disclosed: Yes
Patch Tuesday: 2020-Mar
Released: 2020-03-12
Last Updated: 2020-03-13
EPSS Score: 94.41% (percentile: 100.0%)
CISA KEV: Listed — due 2022-08-10

Description

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it. The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.

FAQ

What steps can I take to protect my network? 1. Block TCP port 445 at the enterprise perimeter firewall TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter. 2. Follow Microsoft guidelines to prevent SMB traffic from lateral connections and entering or leaving the network Preventing SMB traffic from lateral connections and entering or leaving the network Are older versions of Windows (other than what is listed in the Security Updates table) affected by this vulnerability? No, the vulnerability exists in a new feature that was added to Windows 10 version 1903. Older versions of Windows do not support SMBv3.1.1 compression and are not affected. Windows Server, version 1903 (Server Core installation) and Windows Server, version 1909 (Server Core installation) are in the Security Updates Table. Are Windows Server, version 1903 and Windows Server, version 1909 that are not Server Core installation affected by this vulnerability? No. Windows Server, versions 1903 and 1909 were both released under the Semi-Annual Channel (SAC) channel. As such, only a Server Core installation is available. For more information Windows servicing channels, please see Servicing Channels-19

Known Exploits (57)

Microsoft SMBv3 Remote Code Execution Vulnerability — added 2025-08-06T07:03:03Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2025-06-14T01:27:56Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2025-04-19T05:29:17Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2025-02-26T04:14:32Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2025-01-29T08:56:11Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2025-01-29T08:52:02Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2024-02-23T08:41:29Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2023-05-29T06:31:51Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2023-02-28T00:27:37Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2022-08-13T16:11:07Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2022-01-11T23:22:35+08:00
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2022-01-11T22:51:14+08:00
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2022-01-10T17:47:01+08:00
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2021-11-25T04:59:48Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2021-11-15T22:01:30+08:00
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2021-10-09T08:19:55Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2021-10-09T04:52:55Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2021-09-04T15:07:15Z
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2021-07-20T13:06:20+08:00
Microsoft SMBv3 Remote Code Execution Vulnerability — added 2021-06-13T20:52:18+08:00

Detection & Weaponization (4 sources)

Maturity: Detection

Metasploit modules: SMBv3 Compression Buffer Overflow, SMBv3 Compression Buffer Overflow
Nuclei templates: Microsoft SMBv3 - Remote Code Execution
YARA rules: SEKOIA_Hacktool_Fscan_Strings
GitHub PoC: 88 repositories

Affected Products (8)

Windows

Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows Server, version 1909 (Server Core installation)

Security Updates (1)

4551762

Acknowledgments

Microsoft Platform Security Assurance & Vulnerability Research

Revision History

2020-03-12: Information published. CVE-2020-0796 resolves the issue discussed in ADV200005 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005). Customers who have already installed the updates released on March 10, 2020 for the affected operating systems should install KB4551762 to be protected from this vulnerability.
2020-03-13: The following revisions have been made: 1. Added an FAQ to clarify that only a Server Core installation is available for Windows Server, version 1903 and Windows Server, version 1909. 2. In the Workarounds, added Note number 3 to state that SMB Compression is not yet used by Windows or Windows Server, and disabling SMB Compression has no negative performance impact. These are informational changes only.