Hello, welcome to the Thursday, March 12th, 2020 edition of the Sandstone Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

First of all, a little bit an update and clarification correction about the mystery SMB version 3 vulnerability that I mentioned yesterday.

Not actually a lot of news here. We still just have the Microsoft security advisory to go by.

Now one mistake I made yesterday and thanks for Rob to correcting me here on Twitter, I mentioned that this vulnerability is similar to Blue Keep.

Well, I got the vulnerabilities mixed up here.

Blue Keep is the RDP vulnerability.

This is really more like Eternal Blue, which was the Smb version 1 vulnerability.

And there is a CVE number for this vulnerability.

CVE 2020-0796. So other than that,

not really a lot about it. There are a couple attempts to name the vulnerability. I've seen

Corona Blue being used or SMB ghost, but not sure if I really like either name. There are a couple of

scanners that people release to detect if you're vulnerable. Now, what they're looking for here

is that you are supporting SMB version 3.1.1 and that you have compression enabled. Now, SMB compression

has actually been available back in SMB 1.0. There is also SMB protocol acceleration. Sometimes

the two words are sort of used a little bit interchangeable, I believe,

but for this vulnerability, only Windows 10 is vulnerable and Windows server version 1903 and

1909.

Also that's for Windows 10, it's version 1903 and 1909 that are vulnerable. Of course,

it's not a certain clear if some older versions may be vulnerable, but aren't explicitly

sort of pointed out by Microsoft. Now, the workaround I told you about yesterday remains. It's essentially

disabling this compression feature. Go by Microsoft's guidance here. I've seen a couple of

...