CVE-2022-35804

Обходное решение

The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place.

Disable SMBv3 compression

To block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Client with the following PowerShell command:

To block authenticated attackers from exploiting the vulnerability against an SMBv3 Server with the following PowerShell command:

Note: No reboot is needed after making the change.

How to undo the workaround: You can revert the workaround with the following PowerShell command:

Note: No reboot is needed after reverting the workaround.

FAQ

How could an attacker exploit the vulnerability?

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target system. This vulnerability can be exploited through two different vectors:

• For the vulnerability to be exploited on the SMB Client, an unauthenticated attacker would first need to configure a malicious SMBv3 server and convince a user to connect to it by enticing them to click a specially crafted link.

• **For the vulnerability to be exploited on the SMB Server **, an authenticated attacker could send specially crafted packets from an SMB Client to a targeted SMBv3 Server.

What steps can I take to protect my network?

1. Block TCP port 445 at the enterprise perimeter firewall

• TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

2. Follow Microsoft guidelines to prevent SMB traffic from lateral connections and entering or leaving the network

Secure SMB Traffic in Windows Server: *https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-secure-traffic

Are older versions of Windows (other than what is listed in the Security Updates table) affected by this vulnerability?

No.