Requesting a new QID for CVE-2020-0796
See Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796).
Update March 12: The blog post now references newly available patch information from Microsoft.
i read about this for the first time on Tenable's facebook page. I then joined Qualys' page to expect to read something similar and all i can see is guff about conferences and opportunities to sell products.
IMO when a vendor offers blogs such as SMBv3 for free on social media, this is a decent carrot to say "i think i'll see how they can help my business"
I am now seeing QID 91614 Microsoft Guidance for Disabling SMBv3 Compression Not Applied (ADV200005) which appears to simply check for whether or not you have the workaround enabled but it says it applies to both Win 10 1903/1909 and Server 1903/1909 yet the guidance from Microsoft makes it pretty clear that "This workaround does not prevent exploitation of SMB clients." so I am not sure this is quite right.
So I'll answer my own comment since it appears Qualys is ignoring us. Based on updated information, the wormable part of this Vulnerability is present on BOTH desktops/servers as the impacted services run on all SMB enabled hosts. The mitigation of disabling compression needs to be done on ALL impacted OS's.
What Microsoft is alluding to in ADV200005 'This workaround does not prevent exploitation of SMB clients.' part is the Client connects to Malicious/Compromised Host part of the vulnerability. You will still be vulnerable to this after mitigation but if you have no servers vulnerable by applying the above mitigation globally and you don't allow SMB in/out of your LAN you've essentially nullified it anyway.
PS - Verify it yourself the services are LanmanWorkstation and LanmanServer with display names of Workstation and Server respectively.
You can see details of the detection at Microsoft Security Bulletins: March 2020 under the heading "Microsoft Guidance for Disabling SMBv3 Compression Not Applied (ADV200005)".
I've forwarded the feedback above to the signatures team.
See also Dashboard Toolbox - VM DASHBOARD: Microsoft RCE SMBv3 Advisory-CVE-2020-0796
Retrieving data ...