Resolve-CVE-2020-0796.ps1

<#
.NAME
    Resolve-CVE-2020-0796


.SYNOPSIS
    This cmdlet is meant to mitigate any Windows Operating systems vulnerable to CVE-2020-0796.
    It checks the OS version to determine whether or not a change is neccessary. If a system is
    vulnerable this cmdlet will make the recommended actions as suggested by Microsoft. This
    workaround provided by Microsoft is only effecitive on SMBv3 servers not SMBv3 Clients.


.SYNTAX
    Resolve-CVE-2020-0796 [[-ComputerName] <string[]>] [-Undo] [<CommonParameters>]


.PARAMETER ComputerName
    Specifies one or more computers. The default is the local computer.

    Type the NETBIOS name, an IP address, or a fully qualified domain name of a remote computer. To specify the
    local computer, type the computer name, a dot (.), or localhost.

    This parameter does not rely on Windows PowerShell remoting. You can use the ComputerName parameter even if
    your computer is not configured to run remote commands.

.PARAMETER Undo
    Specify this switch parameter if you want to undo the changes this function makes to the registry.
    This will re-enable SMB v3.1.1 Compression in Windows version 1903 and 1909.


.DESCRIPTION
    A remote code execution vulnerability exists in the way that the Microsoft Server Message Block
    3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the
    vulnerability could gain the ability to execute code on the target server or client. To
    exploit the vulnerability against a server, an unauthenticated attacker could send a specially
    crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an
    unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user
    to connect to it. The security update addresses the vulnerability by correcting how the SMBv3
    protocol handles these specially crafted requests. Resolve-CVE-2020-0796 makes the Microsoft
    recommended changes to the registry in order to provide a workaround for the vulnerability on
    Windows Servers version 1903 and 1909.


.EXAMPLE
.EXAMPLE 1
    PS> Resolve-CVE-2020-0796

.EXAMPLE 2
    PS> Resolve-CVE-2020-0796 -ComputerName "DESK01", "DESK02"

.EXAMPLE 3
    PS> Get-ADComputer -Filter 'Name -like "DESK*"' | Resolve-CVE-2020-0796
    PS> Resolve-CVE-2020-0796

.EXAMPLE 4
    PS> Resolve-CVE-2020-0796 -Undo

.EXAMPLE 5
    PS> Resolve-CVE-2020-0796 -ComputerName "DESK05" -Undo

.LINK
https://nvd.nist.gov/vuln/detail/CVE-2020-0796
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections
https://osbornepro.com
https://writeups.osbornepro.com
https://github.com/tobor88
https://gitlab.com/tobor88
https://www.powershellgallery.com/profiles/tobor
https://www.credly.com/users/roberthosborne/badges


.INPUTS
    System.String
        You can pipe computer names to this cmdlet..

        In Windows PowerShell 2.0, the ComputerName parameter takes input from the pipeline only by property name. In
        Windows PowerShell 3.0, the ComputerName parameter takes input from the pipeline by value.


.OUTPUTS
    None

#>
Function Resolve-CVE-2020-0796 {
    [CmdletBinding()]
        param(
            [Parameter(
                Mandatory=$False,
                Position=0,
                ValueFromPipeline=$True,
                ValueFromPipelineByPropertyName=$False,
                HelpMessage="Enter the FQDN, hostname, or IPv4 address of the computer(s) you wish to check for and mitigate CVE-202-0796 of")]  # End Parameter
            [Alias('c','cn','Computer','Name','DisplayName','IPAddress','IP')]
            [String[]]$ComputerName,

            [Parameter(
                Mandatory=$False)]  # End Parameter
            [Switch][Bool]$Undo)  # End param

BEGIN
{

    If ($PSBoundParameters.ContainsKey('Undo'))
    {

        $Value = 0

    }  # End If
    Else
    {

        $Value = 1

    }  # End Else

    Write-Verbose "[*] Registry value 'DisableCompression' will be set to $Value"

}  # End BEGIN
PROCESS
{

    ForEach ($Comp in $ComputerName)
    {

        Invoke-Command -ComputerName $Comp -ScriptBlock {
            $Value = $args[0]
            $OSVersion = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId
            If (($OSVersion.ReleaseId -match '1909') -or ($OSVersion.ReleaseId -match '1903'))
            {

                Write-Output "[!] The version of Windows on $env:COMPUTERNAME is vulnerable to CVE-2020-0796"
                $Value
                $Value.GetType()
                If ($Value -eq 0)
                {

                    Write-Warning "[!] -Undo Parameter was specified. Undoing Microsoft recommended workaround for CVE-2020-0796."
                    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value $Value -Force

                    Write-Verbose "[*] Verifying the change has been made"
                    If (0 -eq (Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "DisableCompression"))
                    {

                        Write-Output "[*] SUCCESS: Registry value has been successfully returned to it's original value. No reboot is required"

                    }  # End If
                    Else
                    {

                        Throw "[x] ERROR: Registry value has not been successfully modified. Open PowerShell as an Administrtaor and try again"

                    }  # End Else

                }
                ElseIf ($Value -eq 1)
                {
                    $Value -eq 1
                    Write-Verbose "[*] Disabling compression to block unauthenticated attackers from exploiting CVE-2020-0796 against an SMBv3 Server"
                    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value $Value -Force

                    Write-Verbose "[*] Verifying the change has been made"
                    If (1 -eq (Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "DisableCompression"))
                    {

                        Write-Output "[*] SUCCESS: Registry value has been successfully modified to prevent CVE-2020-0796. No reboot is required`n[]"
                        Write-Output "[i] SMB Compression is not yet used by Windows or Windows Server, and disabling SMB Compression has no negative performance impact."
                        Write-Output "[i] This workaround does not prevent exploitation of SMB clients. Follow Microsofts other guidelines if needed."
                        Write-Output "[i] MICROSOFT GUIDELINES FOR SMB CLEINTS: https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections"

                    }  # End If
                    Else
                    {

                        Throw "[x] ERROR: Registry value has not been successfully modified. Open PowerShell as an Administrtaor and try again"

                    }  # End Else

                }  # End ElseIf

            }  # End If
            Else
            {

                Write-Output "[*] This version of Windows is not vulnerable to CVE-2020-0796"
                Exit

            }  # End Else

        }  -ArgumentList $Value # End Invoke-Command ScriptBlock

    }  # End ForEach

}  # End PROCESS

}  # End Function Resolve-CVE-2020-0796

# SIG # Begin signature block
# MIIM9AYJKoZIhvcNAQcCoIIM5TCCDOECAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUhpQlKcAo43Kx8GhgTTtOMvfl
# tY2gggn7MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UE
# BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
# BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290
# IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMx
# MDUwMzA3MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMw
# EQYDVQQHEwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEt
# MCsGA1UECxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMw
# MQYDVQQDEypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0g
# RzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYusw
# ZLiBCGzDBNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz
# 6ojcnqOvK/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am
# +GZHY23ecSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1g
# O7GyQ5HYpDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQW
# OlDxSq7neTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB
# 0lL7AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
# BjAdBgNVHQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqF
# BxBnKLbv9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhho
# dHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDov
# L2NybC5nb2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0g
# ADAzMDEGCCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9z
# aXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyI
# BslQj6Zz91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwl
# TxFWMMS2RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKo
# cyQetawiDsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1
# KrKQ0U11GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkK
# rqeKM+2xLXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDABMIIFIzCC
# BAugAwIBAgIIXIhNoAmmSAYwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNVBAYTAlVT
# MRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRowGAYDVQQK
# ExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRzLmdvZGFk
# ZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1cmUgQ2Vy
# dGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAxMTE1MjMyMDI5WhcNMjExMTA0
# MTkzNjM2WjBlMQswCQYDVQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xGTAXBgNV
# BAcTEENvbG9yYWRvIFNwcmluZ3MxEzARBgNVBAoTCk9zYm9ybmVQcm8xEzARBgNV
# BAMTCk9zYm9ybmVQcm8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJ
# V6Cvuf47D4iFITUSNj0ucZk+BfmrRG7XVOOiY9o7qJgaAN88SBSY45rpZtGnEVAY
# Avj6coNuAqLa8k7+Im72TkMpoLAK0FZtrg6PTfJgi2pFWP+UrTaorLZnG3oIhzNG
# Bt5oqBEy+BsVoUfA8/aFey3FedKuD1CeTKrghedqvGB+wGefMyT/+jaC99ezqGqs
# SoXXCBeH6wJahstM5WAddUOylTkTEfyfsqWfMsgWbVn3VokIqpL6rE6YCtNROkZq
# fCLZ7MJb5hQEl191qYc5VlMKuWlQWGrgVvEIE/8lgJAMwVPDwLNcFnB+zyKb+ULu
# rWG3gGaKUk1Z5fK6YQ+BAgMBAAGjggGFMIIBgTAMBgNVHRMBAf8EAjAAMBMGA1Ud
# JQQMMAoGCCsGAQUFBwMDMA4GA1UdDwEB/wQEAwIHgDA1BgNVHR8ELjAsMCqgKKAm
# hiRodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkaWcyczUtNi5jcmwwXQYDVR0gBFYw
# VDBIBgtghkgBhv1tAQcXAjA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNh
# dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMAgGBmeBDAEEATB2BggrBgEFBQcB
# AQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggr
# BgEFBQcwAoY0aHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0
# b3J5L2dkaWcyLmNydDAfBgNVHSMEGDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjAd
# BgNVHQ4EFgQUkWYB7pDl3xX+PlMK1XO7rUHjbrwwDQYJKoZIhvcNAQELBQADggEB
# AFSsN3fgaGGCi6m8GuaIrJayKZeEpeIK1VHJyoa33eFUY+0vHaASnH3J/jVHW4BF
# U3bgFR/H/4B0XbYPlB1f4TYrYh0Ig9goYHK30LiWf+qXaX3WY9mOV3rM6Q/JfPpf
# x55uU9T4yeY8g3KyA7Y7PmH+ZRgcQqDOZ5IAwKgknYoH25mCZwoZ7z/oJESAstPL
# vImVrSkCPHKQxZy/tdM9liOYB5R2o/EgOD5OH3B/GzwmyFG3CqrqI2L4btQKKhm+
# CPrue5oXv2theaUOd+IYJW9LA3gvP/zVQhlOQ/IbDRt7BibQp0uWjYaMAOaEKxZN
# IksPKEJ8AxAHIvr+3P8R17UxggJjMIICXwIBATCBwTCBtDELMAkGA1UEBhMCVVMx
# EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
# EUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMuZ29kYWRk
# eS5jb20vcmVwb3NpdG9yeS8xMzAxBgNVBAMTKkdvIERhZGR5IFNlY3VyZSBDZXJ0
# aWZpY2F0ZSBBdXRob3JpdHkgLSBHMgIIXIhNoAmmSAYwCQYFKw4DAhoFAKB4MBgG
# CisGAQQBgjcCAQwxCjAIoAKAAKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcC
# AQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYE
# FGNSYULnpz8W191E0AspKiYEyJESMA0GCSqGSIb3DQEBAQUABIIBAEkv1jSzUrEB
# RQLLMed6xJcAEeGbT6QLMXuOG/z4Y6P+Ctr+ar42eMUteFJOVFNENk2x7U1Lyo19
# z8hsEQvnra55yLeRVIxtGW3N7ZUhQ34supfaS1tVLkSOkxWzPeHIEwnAcKS+sfpK
# Ih/sgzBhnwHE4ffPDCZLRkBU9wrbjHXFGGJiexkptf+AYj0Xlp9MCnKlQE72C+d2
# oVzQ/3uuqfC/l7EvrlXEvU3VtkquxF+8N+85Qt/+rtkH3+oAsQKdjEH7+0mhTLXi
# 92QTQS4u53FL2WitIkfhWUJPZ6no1xdDKr9d6FwRrtd7vnDGAU/yOraZFE0OJhDY
# ZS+IRGJLgfA=
# SIG # End signature block