ALERT: IA Alert: Update Windows 10 and Server 2019 for vulnerability

A vulnerability has been discovered in Windows 10 and Windows Server 2019 that could allow for remote code execution. Microsoft has released updates, which should be applied as soon as possible after appropriate testing.

There is a critical vulnerability in Microsoft Server Message Block (SMB). SMB is a network file sharing protocol in Windows 10 and Windows Server 2019, which lets Windows communicate with devices such as printers and file servers on networks and across the internet. A successful exploit of the SMB bug could allow an attacker to remotely run malicious code on any vulnerable computer

Apply the updates provided by Microsoft as soon as possible after appropriate testing. The need for immediate action requires an expedited timeframe that supersedes the remediation timeframes in Vulnerability Management (DS-21).

If the updates from Microsoft cannot be applied after testing them, implement the following mitigations as soon as possible: Disable compression to block unauthenticated attackers from exploiting the vulnerability, as detailed in Microsoft Guidance for Disabling SMBv3 Compression.

This vulnerability in Microsoft SMB could allow for remote code execution. This is due to an error in handling maliciously crafted compressed data packets within version 3.1.1 of SMB. To exploit this vulnerability, an attacker can send specially crafted compressed data packets to a target Microsoft SMB 3.0 (SMBv3) server. Clients who connect to the malicious SMB server would also be impacted.

• Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
• IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
• IA provides vulnerability management guidance to the university.
• ITS updates MiWorkspace and MiServer managed machines as soon as possible after appropriate testing.

MiWorkspace machines will be updated as soon as possible. Additional mitigations are already in place on MiWorkspace systems that reduce the potential impact of this vulnerability. If you have Windows 10 installed on your own computer that is not managed by the university, update to the latest version as soon as possible. It is best to set Windows to update automatically.

MiServer customers that manage the operating system on their MiServer systems may need to apply fixes for this vulnerability if they use the vulnerable versions of Windows. The managed OS MiServer systems do not run the versions of Windows that are vulnerable to exploitation of CVE-2020-0796. 

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Please contact [email protected].

• March 12, 2020—KB4551762 (OS Builds 18362.720 and 18363.720) (Microsoft Updates, 3/12/20)
• A Vulnerability in Microsoft Windows SMB Server Could Allow for Remote Code Execution (CVE-2020-0796) (Center for Internet Security, 3/12/20)
• 48K Windows Hosts Vulnerable to SMBGhost CVE-2020-0796 RCE Attacks (Bleeping Computer, 3/12/20)
• Microsoft releases emergency patch for ‘leaked’ Windows 10 security bug (Tech Crunch, 3/12/20)
• CVE-2020-0796: "Wormable" Remote Code Execution Vulnerability in Microsoft Server Message Block SMBv3 (ADV200005) (Tenable, 3/10/20)
• Microsoft Guidance for Disabling SMBv3 Compression (Microsoft Security Advisory, 3/10/20)