At 23:00 on March 12, 2020, Microsoft Security Center released a patch to fix the remote code execution vulnerability CVE-2020-5405, which affects Windows SMBv3.

The vulnerability occurred in srv2.sys because SMBv3 does not correctly handle compressed data packets. SMBv3 decompresses the data packets based on the length supported by the client, but does not check whether the length is valid. This results in integer overflow. If integer overflow occurs, an unauthenticated attacker can remotely construct malicious requests and execute commands on hosts that run specific Windows operating systems.

Risk level: high

Scope of impact:
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 1903 (Server Core installation)
  • Windows 10, version 1903 for 32-bit systems
  • Windows 10, version 1903 for x64-based systems
  • Windows 10, version 1903 for ARM64-based systems
  • Windows 10, version 1909 for 32-bit systems
  • Windows 10, version 1909 for x64-based systems
  • Windows 10, version 1909 for ARM64-based systems

Rule-based defense: A virtual patch is available in the Cloud Firewall console to address this vulnerability.

Rule type: command execution

Security suggestions:
  • Install the patch issued by Microsoft. For more information, see Description of CVE-2020-0796.
  • Use the intrusion prevention feature of Cloud Firewall.