CVE-2020-0796: 
vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2020-0796), also known as SMBGhost, was discovered in Microsoft Server Message Block 3.1.1 (SMBv3) protocol. The vulnerability was disclosed in March 2020 and affects how the SMBv3 protocol handles certain requests. The affected systems include Windows 10 versions 1903 and 1909, as well as Windows Server versions 1903 and 1909 (NVD).

The vulnerability exists in the way that the Microsoft SMBv3 protocol handles compressed data packets, leading to a buffer overflow condition. It received a CVSS v3.1 base score of 10.0 (CRITICAL) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified as CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer (NVD, Rapid7).

The vulnerability allows attackers to execute code remotely on target systems without authentication. It can be exploited both on SMB clients and servers, potentially leading to widespread compromise in networked environments. The critical severity rating indicates the potential for complete system compromise with high confidentiality, integrity, and availability impacts (NVD).

Microsoft released security patches to address the vulnerability. For systems that cannot be immediately patched, Microsoft recommended disabling SMBv3 compression and blocking TCP port 445 on firewalls and client computers as temporary workarounds. The workaround can be implemented by running a PowerShell command: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force (Rapid7).