CVE-2022-24508 · Win32 File Enumeration Remote Code Execution Vulnerability

The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place: Disable SMBv3 compression You can disable compression to block authenticated attackers from exploiting the vulnerability against an SMBv3 Server with the following PowerShell command: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force Notes: No reboot is needed after making the change. This workaround does not prevent exploitation of SMB clients; please see item 2 under FAQ to protect clients. You can disable the workaround with the PowerShell command below. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force Note: No reboot is needed after disabling the workaround.

What steps can I take to protect my network? Block TCP port 445 at the enterprise perimeter firewall TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter. Follow Microsoft guidelines to prevent SMB traffic from lateral connections and entering or leaving the network Preventing SMB traffic from lateral connections and entering or leaving the network Are older versions of Windows (other than what is listed in the Security Updates table) affected by this vulnerability? No. The vulnerability exists in a new feature that was added to Windows 10 version 2004 and exists in newer supported versions of Windows. Older versions of Windows are not affected.

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated user could trigger this vulnerability. It does not require admin or other elevated privileges.