Microsoft, which has recently issued its latest patches for Windows, has also disclosed an unpatched critical vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol.
The vulnerability affects ARM64, 32- and 64-bit editions of Windows 10 versions 1903 and 1909, as well as Windows Server versions 1903 and 1909.
According to a Microsoft security advisory, the company is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.
"An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client. To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it," Microsoft says.
According to cybersecurity firm FortiGuard Labs, the MS.SMB.Server.Compression.Transform.Header.Memory.Corruption is described as "an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers".
"The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application", the firm says.
Microsoft suggests a workaround that involves disabling SMBv3 compression, although the company points out that while this will block unauthenticated attackers, it does not prevent SMB clients from being exploited. To disable compression, use the following PowerShell command:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Microsoft also advises people to block TCP port 445 at the enterprise perimeter firewall.