On the 10 March, 2020, while Covid19 is the main discussion point at this time people may have not noticed CVE-2020–0796 aka SMBGhost being reported online. The Remote code execution vulnerability exists in the Server Message Block 3.1.1 (SMBv3) protocol.
The media dubbed SMBGhost is a vulnerability that exists within the Microsoft Server Message Block 3.0 (SMBv3), affecting malformed compression headers.
Compression headers are a feature that were added to SMBv3 to negotiate context request packets back in May 2019.
This has created a vulnerability with worming capabilities, as to say it requires no human interaction and can move to vulnerable system to vulnerable system with ease.
Exploitation
To exploit this vulnerability, an attacker needs to craft a SMBv3 packet that contains the malformed compression header to a vulnerable SMBv3 Server.
To exploit SMBv3 clients, the attacker would require enticing a user to connect to a compromised SMBv3 server controlled by the attacker. Successful exploitation could result to remote code execution.
At the time of release, Microsoft confirmed that they had not yet seen the vulnerability exploited in the wild.
The vulnerability affects the following:
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Older versions of Windows do not support SMBv3.1.1 compression so are not affected.
What is SMB?
SMB is a protocol that provides a rich set of features such as file sharing, network browsing and printing services over a network, however is has been plagued by years of vulnerabilities and exploits, the most famous of these are the MS08-067 exploit as well as MS17_010 or dubbed EternalBlue. Both of which caused industry wide rush to patch systems and mitigate the risk of system compromise.
What’s SMBGhost’s impact?
Windows machines running SMBv3 successfully compromised can be targeted remotely, without the need of credentials (unauthenticated attack), this attack would lead to the execution of arbitrary code with SYSTEM privileges (Administrator) on a vulnerable system.
Researchers from the cyber security firm Kryptos Logic have found roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the vulnerability CVE-2020-0796. “The SMB bug appears trivial to identify, even without the presence of a patch to analyze”.
Remediation
Microsoft have multiple scripts available to test if your systems are vulnerable. Most the scripts are focusing on checking if you’re running the a vulnerable version and might not be that effective. It is imperative that a good patch management programme is in place and all systems are upgraded in good time.
References
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
https://medium.com/@muchilwa/smbghost-cve-2020-0796-akacoranablue-summary-4c6746d6efe1
https://vulcan.io/blog/what-is-smbghost-vulnerability-and-how-to-fix-it/
https://cybersophia.net/vulnerability/smbghost-vulnerability-cve-2020-0796/