{"id":17922,"date":"2020-03-17T20:34:26","date_gmt":"2020-03-18T04:34:26","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/03\/17\/news-11655\/"},"modified":"2020-03-17T20:34:26","modified_gmt":"2020-03-18T04:34:26","slug":"news-11655","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/03\/17\/news-11655\/","title":{"rendered":"CVE-2020-0796 Memory Corruption Vulnerability in Windows 10 SMB Server"},"content":{"rendered":"
\n
<\/div>\n
\n

FortiGuard Labs<\/a>\u00a0Threat Analysis Report<\/b><\/p>\n

\u00a0<\/p>\n<\/p><\/div>\n

\n
\n

Affected platforms:<\/span>    Windows 10
Impacted parties:       All Windows users 
Impact:                       <\/span>An unauthenticated attacker can exploit this wormable vulnerability to cause <\/span>memory corruption, which may                                      lead to remote code execution. <\/span><\/p>\n

Severity level:<\/span>             High<\/span><\/p>\n

Solution:<\/span>                     All Windows 10 users are urged to apply the <\/span>patch for CVE-2020-0796<\/span><\/p>\n<\/div><\/div>\n

\n

Introduction<\/h2>\n

Microsoft recently released a patch for CVE-2020-0796<\/a>, a critical SMB server vulnerability that affects Windows 10. An unauthenticated attacker can exploit this vulnerability to cause memory corruption, which may lead to remote code execution.<\/p>\n

This SMB vulnerability also has the potential to be exploited by worms to spread quickly. In 2017, the WannaCry ransomware exploited SMB server vulnerability CVE-2017-0144, infecting over 200,000 computers and causing billions of dollars in total damages. We urge everyone to patch their Windows 10 computers as soon as possible.<\/p>\n

Affected Versions<\/h2>\n

Windows 10 Version 1903 for 32-bit Systems<\/p>\n

Windows 10 Version 1903 for x64-based Systems<\/p>\n

Windows 10 Version 1903 for ARM64-based Systems<\/p>\n

Windows Server, version 1903 (Server Core installation)<\/p>\n

Windows 10 Version 1909 for 32-bit Systems<\/p>\n

Windows 10 Version 1909 for x64-based Systems<\/p>\n

Windows 10 Version 1909 for ARM64-based Systems<\/p>\n

Windows Server, version 1909 (Server Core installation)<\/p>\n

Overview<\/h2>\n

FortiGuard Labs performed an analysis of this vulnerability on Windows 10 x64 version 1903. This blog post explains how a compressed data packet with a malformed header can cause an integer overflow in the SMB server. This overflow results in the kernel allocating a buffer that’s far too small to hold the decompressed data, which leads to memory corruption.<\/p>\n

Technical Analysis<\/h2>\n

There is an integer overflow bug in the Srv2DecompressData function in srv2.sys. This vulnerability can be triggered when the SMB server receives a malformed SMB2_Compression_Transform_Header<\/a>.\u00a0<\/p>\n<\/p><\/div>\n