A Windows SMBv3 Remote Code Execution Vulnerability affects your Windows Server 2022-based Domain Controllers (CVE-2022-24508)

Today, for its March 2022 Patch Tuesday, Microsoft released an important security update for domain controllers running Windows Server. This vulnerability is known as CVE-2022-24508 and rated with CVSSv3.1 scores of 8.8/7.7.

A remote code execution exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.

An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.

To exploit the vulnerability against a server, an authenticated attacker could send a specially crafted packet over the network to a targeted SMBv3 server. The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.

Interestingly, the vulnerability closely resembles CVE-2020-0796, a vulnerability that was addressed as part of the March 2020 Patch Tuesday. Then, the vulnerability could be abused by an unauthenticated attacker and was rated with 10.0/9.0…

This time, the vulnerability exists in a new feature that was added to Windows Server since Windows Server 2022. It exists in newer supported versions of Windows. Older file servers running previous versions of Windows Servers are not affected, even though the SMB compression client feature was added to Windows Server 2019.

Affected Operating Systems

Windows Server 2022

All Windows Server 2022 installations that are configured as domain controllers and file servers are at risk from this vulnerability. Domain controllers have the Windows Firewall rules enabled for file server services upon promotion and are therefore, by default, vulnerable to this vulnerability.

Domain controllers offer access to the Active Directory system volume (\\domain.tld\sysvol) and Netlogon share (\\domain.tld\netlogon). These shares as necessary for signing in on domain-joined devices. Blocking TCP445 towards the domain controllers in the networking environment, therefore, is not a solution.

Server Core, Full installations and Azure Editions are affected.

 

Windows Server version 20H2

Windows Server version 20H2 is also vulnerable.

Mitigation

As a mitigating factor, Active Directory admins can disable the SMBv3 compression feature as a workaround. This prevents an attacker (but also legitimate users and processes) from using the SMBv3 compression feature.

Disabling SMBv3 compression

This can be done using the following line of PowerShell in an elevated Windows PowerShell window:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" –Name DisableCompression -Type DWORD -Value 1 –Force

No reboot is needed after making the change.

Re-enabling SMBv3 compression

This can be done using the following line of PowerShell in an elevated Windows PowerShell window:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" –Name DisableCompression -Type DWORD -Value 0 –Force

No reboot is needed after disabling the workaround.

Call to action

I urge you to install the necessary security updates on Windows Server installations, running as domain controllers, in a test environment, as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as domain controllers, in the production environment.

Disabling SMBv3 compression on these systems can be used as a temporary workaround, until the updates are installed and the domain controllers are rebooted afterward.

Further reading

CVE-2022-24508 Windows SMBv3 Remote Code Execution Vulnerability 
CVE-2020-0796 Windows SMBv3 Remote Code Execution Vulnerability 
RoboCopy supports SMB with Compression on Windows Server 2019, and beyond 
Hardening SMB on Domain Controllers, Step 1: Reporting on SMB connections

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.