Loading...

Knowledge Center

Are you a home/consumer customer? Visit the Home/Consumer Support Site

Response to Microsoft Server Message Block SMBv3 RCE vulnerability (CVE-2020-0796)

Technical Articles ID: KB92502
Last Modified: 3/15/2022

Summary

Recent updates to this article

Date	Update
March 15, 2022	Minor formatting updates. No content changes.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

We're aware of the recent Remote Code Execution (RCE) vulnerability in Microsoft Server Message Block SMBv3 (CVE-2020-0796). We're working to identify countermeasures to help protect against this vulnerability. We'll update this article as more updates become available.

Microsoft issued an advisory that describes the issue and provides initial workarounds.

In this advisory, Microsoft also suggests that you prevent SMB traffic from making lateral connections, and from entering or leaving the network.

Microsoft released an out-of-band update on March 12, 2020 to cover this vulnerability. We highly recommend implementing this update as soon as possible.

The following products detect or block this threat and provide organizations with the means to respond in a timely manner.

Click to expand the section you want to view:

Endpoint Security (ENS) and Host Intrusion Prevention (Host IPS)

We released an updated ENS Exploit Prevention content package (version 10050) that contains a new signature: 6157 - SMB v3 Remote Code Execution Vulnerability (CVE-2020-0796). This signature is disabled by default. Perform appropriate testing before you enable this rule to help prevent false positives. Clients that receive this content update must be on V3 Virus Definition version 3786 or higher for this signature to work properly.

See the Exploit Prevention Content 10050 Release Notes for more details. This content release isn't applicable for Host IPS.

Or, these port blocks can be implemented in the Firewall module of ENS, and in the Firewall component of Host IPS.

Application Protocol	Protocol	Port
SMB	TCP	445
NetBIOS Name Resolution	UDP	137
NetBIOS Datagram Service	UDP	138
NetBIOS Session Service	TCP	139

If you’re using ENS Firewall 10.7.0 to manage network traffic, specifically NetBIOS port 137, 138, 139, and 445 traffic, be aware of the known issue below:

KB92248 - SYSTEM network traffic is allowed via "Allow McAfee signed applications" rule

Network Security Platform (IPS)

The Network Security Platform team released signature set release version 10.8.7.2 on March 10, 2020 to detect this vulnerability.

The signature has the following attack name and ID:

Attack Name: NETBIOS-SS: Samba Remote Code Execution Vulnerability (CVE-2020-0796)
Attack ID: 0x43c0e600

For release notes and additional information about the emergency signature set release, see KB55446 - REGISTERED - Network Security Signature Set Updates.

NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted.

Affected Products

Best Practices
Endpoint Security Firewall 10.7.x
Endpoint Security Firewall 10.6.x
Host Intrusion Prevention 8.0 (EOL)
Network Security Manager 9.2.x
Network Security Manager 9.1.x
Network Security Manager 10.x
Network Security Sensor Appliance 9.2.x
Network Security Sensor Appliance 9.1.x
Network Security Sensor Appliance 10.x
Vulnerability Response

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified