-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathResolve-CVE-2020-0796.ps1
269 lines (212 loc) · 12 KB
/
Resolve-CVE-2020-0796.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
<#
.NAME
Resolve-CVE-2020-0796
.SYNOPSIS
This cmdlet is meant to mitigate any Windows Operating systems vulnerable to CVE-2020-0796.
It checks the OS version to determine whether or not a change is neccessary. If a system is
vulnerable this cmdlet will make the recommended actions as suggested by Microsoft. This
workaround provided by Microsoft is only effecitive on SMBv3 servers not SMBv3 Clients.
.SYNTAX
Resolve-CVE-2020-0796 [[-ComputerName] <string[]>] [-Undo] [<CommonParameters>]
.PARAMETER ComputerName
Specifies one or more computers. The default is the local computer.
Type the NETBIOS name, an IP address, or a fully qualified domain name of a remote computer. To specify the
local computer, type the computer name, a dot (.), or localhost.
This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter even if
your computer is not configured to run remote commands.
.PARAMETER Undo
Specify this switch parameter if you want to undo the changes this function makes to the registry.
This will re-enable SMB v3.1.1 Compression in Windows version 1903 and 1909.
.DESCRIPTION
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block
3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the
vulnerability could gain the ability to execute code on the target server or client. To
exploit the vulnerability against a server, an unauthenticated attacker could send a specially
crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an
unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user
to connect to it. The security update addresses the vulnerability by correcting how the SMBv3
protocol handles these specially crafted requests. Resolve-CVE-2020-0796 makes the Microsoft
recommended changes to the registry in order to provide a workaround for the vulnerability on
Windows Servers version 1903 and 1909.
.EXAMPLE
.EXAMPLE 1
PS> Resolve-CVE-2020-0796
.EXAMPLE 2
PS> Resolve-CVE-2020-0796 -ComputerName "DESK01", "DESK02"
.EXAMPLE 3
PS> Get-ADComputer -Filter 'Name -like "DESK*"' | Resolve-CVE-2020-0796
PS> Resolve-CVE-2020-0796
.EXAMPLE 4
PS> Resolve-CVE-2020-0796 -Undo
.EXAMPLE 5
PS> Resolve-CVE-2020-0796 -ComputerName "DESK05" -Undo
.LINK
https://nvd.nist.gov/vuln/detail/CVE-2020-0796
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections
https://osbornepro.com
https://writeups.osbornepro.com
https://github.com/tobor88
https://gitlab.com/tobor88
https://www.powershellgallery.com/profiles/tobor
https://www.credly.com/users/roberthosborne/badges
.INPUTS
System.String
You can pipe computer names to this cmdlet..
In Windows PowerShell 2.0, the ComputerName parameter takes input from the pipeline only by property name. In
Windows PowerShell 3.0, the ComputerName parameter takes input from the pipeline by value.
.OUTPUTS
None
#>
Function Resolve-CVE-2020-0796 {
[CmdletBinding()]
param(
[Parameter(
Mandatory=$False,
Position=0,
ValueFromPipeline=$True,
ValueFromPipelineByPropertyName=$False,
HelpMessage="Enter the FQDN, hostname, or IPv4 address of the computer(s) you wish to check for and mitigate CVE-202-0796 of")] # End Parameter
[Alias('c','cn','Computer','Name','DisplayName','IPAddress','IP')]
[String[]]$ComputerName,
[Parameter(
Mandatory=$False)] # End Parameter
[Switch][Bool]$Undo) # End param
BEGIN
{
If ($PSBoundParameters.ContainsKey('Undo'))
{
$Value = 0
} # End If
Else
{
$Value = 1
} # End Else
Write-Verbose "[*] Registry value 'DisableCompression' will be set to $Value"
} # End BEGIN
PROCESS
{
ForEach ($Comp in $ComputerName)
{
Invoke-Command -ComputerName $Comp -ScriptBlock {
$Value = $args[0]
$OSVersion = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId
If (($OSVersion.ReleaseId -match '1909') -or ($OSVersion.ReleaseId -match '1903'))
{
Write-Output "[!] The version of Windows on $env:COMPUTERNAME is vulnerable to CVE-2020-0796"
$Value
$Value.GetType()
If ($Value -eq 0)
{
Write-Warning "[!] -Undo Parameter was specified. Undoing Microsoft recommended workaround for CVE-2020-0796."
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value $Value -Force
Write-Verbose "[*] Verifying the change has been made"
If (0 -eq (Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "DisableCompression"))
{
Write-Output "[*] SUCCESS: Registry value has been successfully returned to it's original value. No reboot is required"
} # End If
Else
{
Throw "[x] ERROR: Registry value has not been successfully modified. Open PowerShell as an Administrtaor and try again"
} # End Else
}
ElseIf ($Value -eq 1)
{
$Value -eq 1
Write-Verbose "[*] Disabling compression to block unauthenticated attackers from exploiting CVE-2020-0796 against an SMBv3 Server"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value $Value -Force
Write-Verbose "[*] Verifying the change has been made"
If (1 -eq (Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "DisableCompression"))
{
Write-Output "[*] SUCCESS: Registry value has been successfully modified to prevent CVE-2020-0796. No reboot is required`n[]"
Write-Output "[i] SMB Compression is not yet used by Windows or Windows Server, and disabling SMB Compression has no negative performance impact."
Write-Output "[i] This workaround does not prevent exploitation of SMB clients. Follow Microsofts other guidelines if needed."
Write-Output "[i] MICROSOFT GUIDELINES FOR SMB CLEINTS: https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections"
} # End If
Else
{
Throw "[x] ERROR: Registry value has not been successfully modified. Open PowerShell as an Administrtaor and try again"
} # End Else
} # End ElseIf
} # End If
Else
{
Write-Output "[*] This version of Windows is not vulnerable to CVE-2020-0796"
Exit
} # End Else
} -ArgumentList $Value # End Invoke-Command ScriptBlock
} # End ForEach
} # End PROCESS
} # End Function Resolve-CVE-2020-0796
# SIG # Begin signature block
# MIIM9AYJKoZIhvcNAQcCoIIM5TCCDOECAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUhpQlKcAo43Kx8GhgTTtOMvfl
# tY2gggn7MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UE
# BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
# BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290
# IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMx
# MDUwMzA3MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMw
# EQYDVQQHEwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEt
# MCsGA1UECxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMw
# MQYDVQQDEypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0g
# RzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYusw
# ZLiBCGzDBNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz
# 6ojcnqOvK/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am
# +GZHY23ecSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1g
# O7GyQ5HYpDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQW
# OlDxSq7neTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB
# 0lL7AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
# BjAdBgNVHQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqF
# BxBnKLbv9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhho
# dHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDov
# L2NybC5nb2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0g
# ADAzMDEGCCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9z
# aXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyI
# BslQj6Zz91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwl
# TxFWMMS2RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKo
# cyQetawiDsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1
# KrKQ0U11GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkK
# rqeKM+2xLXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDABMIIFIzCC
# BAugAwIBAgIIXIhNoAmmSAYwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNVBAYTAlVT
# MRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRowGAYDVQQK
# ExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRzLmdvZGFk
# ZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1cmUgQ2Vy
# dGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAxMTE1MjMyMDI5WhcNMjExMTA0
# MTkzNjM2WjBlMQswCQYDVQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xGTAXBgNV
# BAcTEENvbG9yYWRvIFNwcmluZ3MxEzARBgNVBAoTCk9zYm9ybmVQcm8xEzARBgNV
# BAMTCk9zYm9ybmVQcm8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ
# V6Cvuf47D4iFITUSNj0ucZk+BfmrRG7XVOOiY9o7qJgaAN88SBSY45rpZtGnEVAY
# Avj6coNuAqLa8k7+Im72TkMpoLAK0FZtrg6PTfJgi2pFWP+UrTaorLZnG3oIhzNG
# Bt5oqBEy+BsVoUfA8/aFey3FedKuD1CeTKrghedqvGB+wGefMyT/+jaC99ezqGqs
# SoXXCBeH6wJahstM5WAddUOylTkTEfyfsqWfMsgWbVn3VokIqpL6rE6YCtNROkZq
# fCLZ7MJb5hQEl191qYc5VlMKuWlQWGrgVvEIE/8lgJAMwVPDwLNcFnB+zyKb+ULu
# rWG3gGaKUk1Z5fK6YQ+BAgMBAAGjggGFMIIBgTAMBgNVHRMBAf8EAjAAMBMGA1Ud
# JQQMMAoGCCsGAQUFBwMDMA4GA1UdDwEB/wQEAwIHgDA1BgNVHR8ELjAsMCqgKKAm
# hiRodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkaWcyczUtNi5jcmwwXQYDVR0gBFYw
# VDBIBgtghkgBhv1tAQcXAjA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNh
# dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATB2BggrBgEFBQcB
# AQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggr
# BgEFBQcwAoY0aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0
# b3J5L2dkaWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjAd
# BgNVHQ4EFgQUkWYB7pDl3xX+PlMK1XO7rUHjbrwwDQYJKoZIhvcNAQELBQADggEB
# AFSsN3fgaGGCi6m8GuaIrJayKZeEpeIK1VHJyoa33eFUY+0vHaASnH3J/jVHW4BF
# U3bgFR/H/4B0XbYPlB1f4TYrYh0Ig9goYHK30LiWf+qXaX3WY9mOV3rM6Q/JfPpf
# x55uU9T4yeY8g3KyA7Y7PmH+ZRgcQqDOZ5IAwKgknYoH25mCZwoZ7z/oJESAstPL
# vImVrSkCPHKQxZy/tdM9liOYB5R2o/EgOD5OH3B/GzwmyFG3CqrqI2L4btQKKhm+
# CPrue5oXv2theaUOd+IYJW9LA3gvP/zVQhlOQ/IbDRt7BibQp0uWjYaMAOaEKxZN
# IksPKEJ8AxAHIvr+3P8R17UxggJjMIICXwIBATCBwTCBtDELMAkGA1UEBhMCVVMx
# EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
# EUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMuZ29kYWRk
# eS5jb20vcmVwb3NpdG9yeS8xMzAxBgNVBAMTKkdvIERhZGR5IFNlY3VyZSBDZXJ0
# aWZpY2F0ZSBBdXRob3JpdHkgLSBHMgIIXIhNoAmmSAYwCQYFKw4DAhoFAKB4MBgG
# CisGAQQBgjcCAQwxCjAIoAKAAKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcC
# AQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYE
# FGNSYULnpz8W191E0AspKiYEyJESMA0GCSqGSIb3DQEBAQUABIIBAEkv1jSzUrEB
# RQLLMed6xJcAEeGbT6QLMXuOG/z4Y6P+Ctr+ar42eMUteFJOVFNENk2x7U1Lyo19
# z8hsEQvnra55yLeRVIxtGW3N7ZUhQ34supfaS1tVLkSOkxWzPeHIEwnAcKS+sfpK
# Ih/sgzBhnwHE4ffPDCZLRkBU9wrbjHXFGGJiexkptf+AYj0Xlp9MCnKlQE72C+d2
# oVzQ/3uuqfC/l7EvrlXEvU3VtkquxF+8N+85Qt/+rtkH3+oAsQKdjEH7+0mhTLXi
# 92QTQS4u53FL2WitIkfhWUJPZ6no1xdDKr9d6FwRrtd7vnDGAU/yOraZFE0OJhDY
# ZS+IRGJLgfA=
# SIG # End signature block