Описание
Win32 File Enumeration Remote Code Execution Vulnerability
Обходное решение
The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place:
Disable SMBv3 compression
You can disable compression to block authenticated attackers from exploiting the vulnerability against an SMBv3 Server with the following PowerShell command:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Notes:
- No reboot is needed after making the change.
- This workaround does not prevent exploitation of SMB clients; please see item 2 under FAQ to protect clients.
You can disable the workaround with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force
Note: No reboot is needed after disabling the workaround.
FAQ
What steps can I take to protect my network?
- Block TCP port 445 at the enterprise perimeter firewall
- TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.
- Follow Microsoft guidelines to prevent SMB traffic from lateral connections and entering or leaving the network
Are older versions of Windows (other than what is listed in the Security Updates table) affected by this vulnerability?
No. The vulnerability exists in a new feature that was added to Windows 10 version 2004 and exists in newer supported versions of Windows. Older versions of Windows are not affected.
According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?
Any authenticated user could trigger this vulnerability. It does not require admin or other elevated privileges.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Windows 10 Version 20H2 for 32-bit Systems | ||
| Windows 10 Version 20H2 for ARM64-based Systems | ||
| Windows Server, version 20H2 (Server Core Installation) | ||
| Windows 10 Version 21H1 for x64-based Systems | ||
| Windows 10 Version 21H1 for ARM64-based Systems | ||
| Windows 10 Version 21H1 for 32-bit Systems | ||
| Windows Server 2022 | ||
| Windows Server 2022 (Server Core installation) | ||
| Windows 11 version 21H2 for x64-based Systems | ||
| Windows 11 version 21H2 for ARM64-based Systems |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
8.8 High
CVSS3
Связанные уязвимости
Win32 File Enumeration Remote Code Execution Vulnerability
Windows SMBv3 Client/Server Remote Code Execution Vulnerability.
Уязвимость реализации сетевого протокола Server Message Block (SMBv3) операционной системы Microsoft Windows, позволяющая нарушителю выполнить произвольный код
EPSS
8.8 High
CVSS3