At 23:00 on March 12, 2020, Microsoft Security Center released a patch to fix the remote code execution vulnerability CVE-2020-5405, which affects Windows SMBv3.
The vulnerability occurred in
srv2.sys because SMBv3 does not correctly handle compressed data packets. SMBv3 decompresses
the data packets based on the length supported by the client, but does not check whether
the length is valid. This results in integer overflow. If integer overflow occurs,
an unauthenticated attacker can remotely construct malicious requests and execute
commands on hosts that run specific Windows operating systems.
Risk level: high
- Windows Server, version 1909 (Server Core installation)
- Windows Server, version 1903 (Server Core installation)
- Windows 10, version 1903 for 32-bit systems
- Windows 10, version 1903 for x64-based systems
- Windows 10, version 1903 for ARM64-based systems
- Windows 10, version 1909 for 32-bit systems
- Windows 10, version 1909 for x64-based systems
- Windows 10, version 1909 for ARM64-based systems
Rule-based defense: A virtual patch is available in the Cloud Firewall console to address this vulnerability.
Rule type: command execution
- Install the patch issued by Microsoft. For more information, see Description of CVE-2020-0796.
- Use the intrusion prevention feature of Cloud Firewall.