CVE-2020-0796
Published: 12 March 2020
Summary
CVE-2020-0796 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Microsoft Windows 10 1903. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).
Deeper analysis
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. The flaw, tracked as CVE-2020-0796 and also known as the Windows SMBv3 Client/Server Remote Code Execution Vulnerability, affects the SMBv3 client and server components on Windows systems and carries a CVSS score of 10.0 with a buffer overflow weakness (CWE-119).
Remote attackers can exploit the issue over the network without authentication or user interaction to execute arbitrary code with high impact on confidentiality, integrity, and availability, including across security boundaries. Public proof-of-concept code has been released demonstrating remote code execution and local privilege escalation against Windows 10 systems running SMB 3.1.1.
The listed references consist entirely of exploit artifacts and proof-of-concept implementations, including CoronaBlue-SMBGhost and multiple buffer-overflow variants, confirming that working attack code is publicly available. No official patch or mitigation details appear in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-2283
Vulnerability details
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
- CWE(s)
- KEV Date Added
- 10 February 2022
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Boundary protection devices can block unauthenticated SMBv3 traffic from external or untrusted networks, directly stopping remote exploitation of the buffer overflow before code execution occurs.
Least functionality allows disabling SMBv3 or restricting its use to only required internal interfaces, eliminating the attack surface for the unauthenticated RCE flaw.
Flaw remediation requires prompt application of vendor patches that close the SMBv3 buffer overflow, preventing successful remote code execution once the update is deployed.