It looks like the announced-but-not-fixed CVE-2020-0796 “CoronaBlue” vuln is only for Server 2013 and 2019

Topic

New Reply

I’ll have more details about this shortly, but many of you admins are rightly concerned about the CVE-2020-0796 security hole, which was announced, th
[See the full post at: It looks like the announced-but-not-fixed CVE-2020-0796 “CoronaBlue” vuln is only for Server 2013 and 2019]

1 user thanked author for this post.

Mr. Natural

Reply | Quote

Replies

woody wrote:

It looks like the announced-but-not-fixed CVE-2020-0796 “CoronaBlue” vuln is only for Server 2013 and 2019

2013?

2 users thanked author for this post.

woody, LoneWolf

Reply | Quote

Oooops. I invented two new Server versions. Sorry ’bout that. Another cup o’ coffee, guv’na.

2 users thanked author for this post.

Elly, LoneWolf

Reply | Quote

b wrote:

woody wrote:

It looks like the announced-but-not-fixed CVE-2020-0796 “CoronaBlue” vuln is only for Server 2013 and 2019

2013?

Ditto, I was wondering about this.

Server 2016 and 2019, perhaps?

We are SysAdmins.
We walk in the wiring closets no others will enter.
We stand on the bridge, and no malware may pass.
We engage in support, we do not retreat.
We live for the LAN.
We die for the LAN.

Reply | Quote

If it only affects 1903 and 1909 then only Server 2019 would be affected. Server 2016 is based on 1607.

Reply | Quote

The BleepingComputer article specifically mentions Core installs only, which makes even less sense. Why would SMBv3 be less vulnerable on a Desktop Experience install?

2 users thanked author for this post.

LoneWolf, woody

Reply | Quote

Good question. Microsoft’s ADV isn’t at all clear.

Reply | Quote

steeviebops wrote:

If it only affects 1903 and 1909 then only Server 2019 would be affected. Server 2016 is based on 1607.

Hang on (can’t seem to edit my own post). Server 2019 is based on 1809 so shouldn’t be affected either. So would only be the Core 1903 and 1909 releases in that case.

Reply | Quote

A Windows 10 PC can be a SMB server if it shares a folder or a printer. In fact, all Windows 10 PCs are SMB servers since the C drive is always shared as c$.

Do not confuse Windows Server and SMB server.

Reply | Quote

The crazy part about this is that it affects the client as well.

To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

There’s a way to disable smb compression for servers, but not for clients. Surely even if there was a problem with the real patch, they could’ve shipped a patch that let us disable compression on the client side.

Can an attacker just replace a normal smb server with arp poisoning or something? SMB has session signatures, but it doesn’t have long-lasting certificates like an HTTPS site, does it? And the policy “Microsoft network client: Digitally sign communications (always)” is disabled by default.

Does a client have to log in to a specific share, or is browsing a computer’s shares with Network Discovery enough to exploit?

There way too much we don’t know.

I have now seen/talked to 3 different people claiming they found the bug in less than 5 minutes. I won’t be surprised if exploits pop up online by the end of the day.

I would not be surprised either. Buffer overflows are a simple exploit. Once it’s known one is out there, people can find them. This one is just hidden by a new/obscure smb compression extension.

The crypto bug the NSA found is similar, it’s just low-hanging fruit that could be gleamed from the wikipedia page of elliptic curve cryptography, or from a basic crypto lecture. Nobody would imagine that it would exist in a real implementation in 2020.

Reply | Quote

Can someone provide some advice for the common folk:  being a home user, on a local network with 2 laptops that share a wireless printer, using a router, is this a concern? Do I need to disable SMBv3 compression, etc.? Running Gibson’s ShieldsUP shows all ports, including 445, as stealth. Currently on Win 10 1909. Just trying to figure out if I need to take any action or just wait on a patch from MS.

Reply | Quote

Woody says:

And if you aren’t in charge of a network, sit back and smile. You have other things to worry about.

1 user thanked author for this post.

woody

Reply | Quote

Windows 10 running a C$ share would all be affected, wouldn’t it?  The only Win10 1903/1909 installs not affected may be Home users (assuming they don’t share printers).  Pro and higher will most likely have the exploit even if not on a domain.

Reply | Quote

I understand that you’re concerned but… there’s no exploit as yet, and precious few details about who’s affected.

Sit tight. There are plenty of people working on it.

Reply | Quote

anonymous wrote:

Windows 10 running a C$ share would all be affected, wouldn’t it?  The only Win10 1903/1909 installs not affected may be Home users (assuming they don’t share printers).  Pro and higher will most likely have the exploit even if not on a domain.

IF 1909-64 Home users w/1-Printer ARE affected can someone clarify if the the Power Shell Cmd that is entered in SERVERS Admin Cmd Prompt applies, ALSO, to just Desktop users. All To-Do’s address Server environments yet 1909-64 Desktops are allegedly affected and nothing specifically is said about them.

Sorry for Double Post & missed clarification just above- Continue to WISH Edit lasted longer.

I see that PKC’s — And if you aren’t in charge of a network, sit back and smile. You have other things to worry about. — makes my question moot.

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

Reply | Quote