Added that McAfee Enterprise has released an updated ENS Exploit Prevention content package (version 10050) that contains a new signature: 6157 - SMB v3 Remote Code Execution Vulnerability (CVE-2020-0796).
March 12, 2020
Added that Microsoft has released an out-of-band update. Added product-specific notes for Endpoint Security Firewall, Host Intrusion Prevention, and Network Security Platform.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
McAfee Enterprise is aware of the recent Remote Code Execution (RCE) vulnerability in Microsoft Server Message Block SMBv3 (CVE-2020-0796). McAfee Enterprise is working to identify countermeasures to help protect against this vulnerability. McAfee Enterprise will update this article as more updates become available.
Microsoft issued an advisory that describes the issue and provides initial workarounds.
In this advisory, Microsoft also suggests that you prevent SMB traffic from making lateral connections, and from entering or leaving the network.
Microsoft released an out-of-band update on March 12, 2020 to cover this vulnerability. McAfee Enterprise highly recommends implementing this update as soon as possible.
The following McAfee Enterprise products detect or block this threat and provide organizations with the means to respond in a timely manner.
Click to expand the section you want to view:
McAfee Enterprise has released an updated ENS Exploit Prevention content package (version 10050) that contains a new signature: 6157 - SMB v3 Remote Code Execution Vulnerability (CVE-2020-0796). This signature is disabled by default. Perform appropriate testing before you enable this rule to help prevent false positives. Clients that receive this content update must be on V3 Virus Definition version 3786 or higher for this signature to work properly.
Or, these port blocks can be implemented in the Firewall module of ENS, and in the Firewall component of Host IPS.
Application Protocol
Protocol
Port
SMB
TCP
445
NetBIOS Name Resolution
UDP
137
NetBIOS Datagram Service
UDP
138
NetBIOS Session Service
TCP
139
If you’re using ENS Firewall 10.7.0 to manage network traffic, specifically NetBIOS port 137, 138, 139, and 445 traffic, be aware of the known issue below:
For release notes and additional information about the emergency signature set release, see: KB55446 - REGISTERED - Network Security Signature Set Updates. NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted.
