There’s a buffer overflow vulnerability in SMBv3. Currently no patch exists, so Microsoft recommends turning off SMBv3 compression on your Windows 2019 servers. There’s not yet a known exploit in the wild for this vulnerability. The following code will turn off compression on Windows Server 2019.
Evaluation code:
Exit 1
Remediation code:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
This will protect servers from being exploited, but does not protect Windows 10 SMBv3 clients. To stop any Windows 10 clients in your environment being exploited, Microsoft recommends blocking port 445 on your external firewalls. However, if an attacker has already infiltrated your network then they’ll still be able to exploit Windows 10 clients if they can trick a user into connecting to an SMBv3 share.
References:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
