Sign up for the weekly Threat Brief from FortiGuard Labs. Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio. SolutionĬustomers are urged to apply the latest patch from Microsoft for CVE-2020-0796 for Windows 10.Ĭustomers can use IPS signature “MS.” to detect attacks that exploit this vulnerability. It is very important that users apply the Windows 10 patch. This SMB memory corruption vulnerability is extremely severe, for there is a possibility that worms might be able to exploit this to infect and spread through a network, similar to how the WannaCry ransomware exploited the SMB server vulnerability in 2017. In this blog post, we attempted to explain the root cause of the CVE-2020-0796 vulnerability. This overflowed the small buffer, which caused memory corruption and the kernel to crash. The above screenshot showed that the kernel used the “rep movs” instruction to copy 0x15f8f (89999) bytes of data into the buffer with a size that was previously allocated at 0圆3 (99) bytes. Later, the kernel called the RtlDecompressBufferXpressLz function to decompress the LZ77 data. This vulnerability can be triggered when the SMB server receives a malformed SMB2_Compression_Transform_Header. There is an integer overflow bug in the Srv2DecompressData function in srv2.sys. This overflow results in the kernel allocating a buffer that's far too small to hold the decompressed data, which leads to memory corruption. This blog post explains how a compressed data packet with a malformed header can cause an integer overflow in the SMB server. Windows Server, version 1909 (Server Core installation) OverviewįortiGuard Labs performed an analysis of this vulnerability on Windows 10 圆4 version 1903. Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for 圆4-based Systems Windows 10 Version 1909 for 32-bit Systems Windows Server, version 1903 (Server Core installation) Windows 10 Version 1903 for ARM64-based Systems Windows 10 Version 1903 for 圆4-based Systems Windows 10 Version 1903 for 32-bit Systems We urge everyone to patch their Windows 10 computers as soon as possible. In 2017, the WannaCry ransomware exploited SMB server vulnerability CVE-2017-0144, infecting over 200,000 computers and causing billions of dollars in total damages. This SMB vulnerability also has the potential to be exploited by worms to spread quickly. An unauthenticated attacker can exploit this vulnerability to cause memory corruption, which may lead to remote code execution. Microsoft recently released a patch for CVE-2020-0796, a critical SMB server vulnerability that affects Windows 10.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |