Dashboard Toolbox - VM DASHBOARD: Microsoft RCE SMBv3 Advisory-CVE-2020-0796

Document created by Felix Jimenez Employee on Mar 12, 2020Last modified by Felix Jimenez Employee on Mar 15, 2020
Version 6Show Document
  • View in full screen mode

This page contains template information to create a Vulnerabilities Dashboard leveraging data in Qualys Vulnerability Management subscription. 

The Vulnerability

A critical remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 protocol handles certain requests. An unauthenticated attacker could exploit the vulnerability to execute arbitrary code on SMB server by sending a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

Affected Operating Systems

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

Detecting CVE-2020-0796 with Qualys VM

Qualys has issued QID 91614 for Qualys Vulnerability Management that covers CVE-2020-0796. Requires authenticated scanning or the Qualys Cloud Agent.

QID 91614 : Microsoft Guidance for Disabling SMBv3 Compression Not Applied (ADV200005)

This QID checks if SMBv3 is enabled on the host and if the following workaround is not applied –

“HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameter”;
DisableCompression -Type DWORD -Value 1

QID 91616: Microsoft Windows SMBv3 Compression Remote Code Execution Vulnerability (KB4551762)

Details on Qualys QIDs 91614 and 91616:

If you have not applied SMBv3 KB4551762 patch or SMBv3 workaround:  QIDs 91614 and 91616 will be posted in the scan results.

If you have applied SMBv3 workaround, but SMBv3 KB4551762 patch is not applied on the host: QID 91616 will be posted int he scan results.

If SMBv3 KB4551762 patch is applied on the host: No QID will be posted in the scan result.

You can search for this Microsoft RCE SMBv3 CVE-2020-0796 within the VM Dashboard by using one of the following QQL queries:

vulnerabilities.vulnerability.cveIds:CVE-2020-0796

vulnerabilities.vulnerability.qid:91614

vulnerabilities.vulnerability.qid:91616

 

You can use Policy Compliance to further build a policy to check for the passing and failing controls:

 

Related Qualys Blog Post: https://blog.qualys.com/laws-of-vulnerabilities/2020/03/11/microsoft-windows-smbv3-remote-code-execution-vulnerability-c… 

Example:

 

IMPORTANT: Importing Dashboard and/or Widget JSON files - Enable historical data collection

 

When you export dashboard(s) and/or widget(s) that have "Enable historical data collection" turned on, and then import them later, you will have to manually "Enable historical data collection" following your import.  This is by design.  The action of turning on this feature starts the clock for data retention.

 

 

 

If you have any questions, please post them below, contact your TAM, or Contact Support - Technical Assistance Inquiry Form | Qualys, Inc..

 

 

Back to Dashboards and Reporting Resources - Start Here 

Back to Dashboard Toolbox - New Vulnerability Management (VM) Dashboard BETA

Outcomes