How to quickly patch CVE-2020-0796

Recent CVE advisory CVE-2020-0796 explains a remote code execution vulnerability that exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests that affect Windows 10 and Windows Server. Microsoft has released a patch for this vulnerability, but there are some scenarios where applying the patch is either not possible or will take additional processing time. If you cannot immediately deploy the patch, then existing EventSentry users can quickly mitigate this thread and apply a work-around to all monitor hosts. (More information on this workaround here). The workaround disables compression to block unauthenticated attackers from exploiting the vulnerability against a SMBv3 Server through a registry modification.

Creating an Embedded Script in the EventSentry Management Console

In the Tools menu (1) of the EventSentry Management Console, select Embedded Scripts (2) and click the New button (3). Give the script a descriptive name (4) (e.g. smbv3_compression_set_vul.cmd), paste the attached script content (5) and click OK (6).

Fig.1: Creating an Embedded Script

The next step is to create a system health package with an application scheduler object, which can run any script in preset intervals or times. Expand Packages in the management console, right-click System Health (1) and click Add Package (2). Give the package a descriptive name, e.g. "Patch Vulnerabilities".

Fig.2: Add New Package

From the package we just created, right-click (1) and add (2) an Application Scheduler (3) object as shown below.

Fig.3: Adding an Application Scheduler

In the Application Scheduler dialog, click the "+" (1) button and specify a schedule (2). In this case, the tool is set to run every 24 hours, meaning that the script will run as we add the package to the computer and will then be re-triggered every 24 hours after that. In the Process area click the drop-down menu in the Filename field (3) and select the recently created script (4). Note that all embedded scripts start with the @ symbol. Click the Test button to verify the output (5).

Fig.4: Configuring the Embedded Script

Either set the package global or assign it to the group(s) or computer(s) where the tool should run. In this case, we are assigning the package to all Workstations by clicking on Workstations inside Computer Groups (1), then clicking Assign Packages (2) and the check box for the package that we created (3), and finally click OK (4).