Microsoft March 2020 Security Updates, fix for SMBv3 RCE vulnerability (updated)

Microsoft released the March 2020 Security Updates that include 115 unique vulnerability fixes, 26 of those rated critical. This is the largest patch release in Microsoft’s history. Microsoft also issued guidance and a new security update to fix an SMBv3 RCE vulnerability CVE-2020-0796 dubbed SMBGhost.

In all, the security updates address vulnerabilities in the following Microsoft products:

  • Azure
  • Azure DevOps
  • ChakraCore
  • Internet Explorer
  • Microsoft Dynamics
  • Microsoft Edge (Chromium-based)
  • Microsoft Edge (EdgeHTML-based)
  • Microsoft Exchange Server
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Microsoft Windows
  • Open Source Software
  • Visual Studio
  • Windows Defender

Microsoft has provided patches for each of the vulnerabilities and summarized in the March 2020 Security Updates Release Notes.

Remote Code Execution vulnerabilities

All of the 26 Critical bugs could result in remote code execution (RCE).

Of special note, a LNK RCE Vulnerability CVE-2020-0684 could allow remote code execution if a .LNK file is processed.

“An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft warned in the advisory.

Another critical vulnerability CVE-2020-0883 impacts the Windows Graphics Device Interface (GDI) and how it handles objects in the memory.

In addition, Microsoft patched an RCE vulnerability CVE-2020-0852 in Microsoft Word and another RCE vulnerability CVE-2020-0872 in Application Inspector.

Readers can also check out more vulnerability and patch details in Microsoft’s Security Update Guide.

Guidance on SMBv3 RCE vulnerability

Microsoft also issued guidance to disable SMBv3 compression to mitigate the impact of an RCE vulnerability in SMBv3.

“Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client,” Microsoft stated in the advisory.

“To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.”

Microsoft provided the following workarounds to disable SMBv3 compression to “block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server” via the following PowerShell command:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force.

Microsoft confirmed the issue impacts multiple versions of Windows 10 and Windows Server (server core installation) version 1903 and 1909.

Update 3/12: According to a new report on Bleeping Computer on Thursday, 48,000 Windows hosts were found vulnerable to CVE-2020-0796 RCE attacks, dubbed SMBGhost. The vulnerable hosts were discovered by researchers at cybersecurity firm Kryptos Logic.

Microsoft also provided a new security update for CVE-2020-0796.

Related Articles