Overview

The Background of security vulnerabilities

NFS (Network File Syste) is a file sharing solution that can transfer files between computers running Windows systems and other non-Windows operating systems (such as Linux or UNIX). Recently, the H3C Offensive and Defense Laboratory has monitored that Microsoft has officially released an update patch for the Windows NFS remote code execution vulnerability, the vulnerability number is CVE-2020-17051.

The details of the vulnerability

The NFS protocol provides a transparent network remote access to shared files. It can map the file system directory tree of the server to the client. When the client accesses the file system directory tree, there is no difference between accessing the local directory system. The client does not know Whether the file ystem directory tree existss on the local system or a remote NFS server.

The function for converting ANSI to Unicode in the nfssvr.sys file of Windows NFS V3 has a design flaw. If the Windows NFS server enables anonymous sharing, or the remote attacker has write access to the NFS share on the target server, then the remote attacker can send a carefully constructed data packet to the Windows NFS server, and successfully exploit this vulnerability. Execute arbitrary code on the target server.

Once the CVE-2020-17051 NFS remote code vulnerability is perfected by an attacker and becomes a stable code execution vulnerability, it will most likely be used by ransomware to spread worms in Windows systems with NFS anonymous sharing enabled. Windows users are recommended to take measures Take protection.

After being attacked, the Windows server will restart with a blue screen.

The scope of influence

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows Server, version 1903 (Server Core installation)

Windows 10 Version 1903 for ARM64-based Systems

Windows 10 Version 1903 for x64-based Systems

Windows 10 Version 1903 for 32-bit Systems

Windows Server, version 1909 (Server Core installation)

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows 7 for x64-based Systems Service Pack 1

Windows 7 for 32-bit Systems Service Pack 1

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows Server, version 2004 (Server Core installation)

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for x64-based Systems

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Solution

The official solution

At present, Microsoft has officially released a patch for this vulnerability. It is recommended that users install the patch as soon as possible through the following link:

https://msrc.microsoft.com/update-guide/zh-cn/vulnerability/CVE-2020-17051

The solution of H3C

The H3C IPS rule library will support the identification of this vulnerability attack in version 1.0.110. It is recommended to pay attention to the H3C official website to update the version in time and enable relevant rules.

H3C security emergency response external service

H3C advocates that every effort be made to safeguard the ultimate interests of product users, to abide by principles of responsible disclosure of security incidents, and to handle product security issues in accordance with security issues mechanisms. For information on H3C's security emergency response service and H3C product vulnerabilities, please visit https://www.h3c.com/en/Support/Online_Help/psirt/.