Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

SMBGhost CVE-2020-0796 a Critical SMBv3 RCE Vulnerability

Overview

Last week Microsoft announced that there was a buffer overflow vulnerability in SMBv3 (CVE-2020-0796) as implemented in Windows 10 and Windows Server (versions 1903 and 1909). The CVE wasn't initially included in last week's Patch Tuesday, but after news of the vulnerability leaked, Microsoft was forced to release details and an "out of band" patch on Thursday, March 12th. All Windows administrators should check to see if they are vulnerable to this issue and patch as soon as possible where they are.

Server Messenger Block (SMB) is a Microsoft protocol that allows sharing resources like file shares and printers on the network. In this case, a vulnerability exists in SMBv3 (specifically version 3.1.1) where an attacker puts malicious payload into a compressed SMB connection. When the client or server attempts to decompress the stream, the attacker controlled data ends up in a memory buffer without proper bounds checking. The result is a classic buffer overflow attack where the attacker's code is executed in memory at SYSTEM level privileges.

Another issue is the fact that an attacker can exploit the vulnerability before any authentication takes place. So the exploit scenario ends up being the ability to remotely execute arbitrary code at SYSTEM level privileges without having to provide any authentication. This is why the vulnerability is considered "wormable." In other words, the conditions are such that an attacker could write malware that would automatically exploit this vulnerability, then use the exploited system to scan for and attack other vulnerable hosts.

Luckily exposure to this vulnerability is a bit limited. Since the compression option in SMB was only introduced recently (April 2019 in the case of version 1903 and November 2019 for version 1909). Therefore this flaw only affects:

  • Windows 10 Version 1903, 1909
  • Windows Server Version 1903, 1909

Researchers love naming these types of vulnerabilities and have called this one names like EternalDarkness and CoronaBlue. However, SMBGhost seems to be the one that is taking hold in the industry.

Mitigations

You can't mitigate a problem you don't know the scope of, so we recommend you have an up-to-date inventory of the systems and operating systems on your network. There are several open source scanners that can help you look for this specific vulnerability. Here are two scanners written in Python:

Once you've enumerated which systems are vulnerable, the most straightforward mitigation is to apply the patch available from Microsoft here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

If you are unable to patch at this moment, there is a workaround to disable SMB compression on the server-side. The following Powershell command will accomplish this:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Please note that this workaround will only secure SMB servers and not the clients. A client that is tricked into connecting to a malicious SMB server could still be exploited.

In addition to these steps, this might be a good time to give your perimeter firewalls an audit to make sure you aren't exposing SMB ports to potential attackers. Microsoft has an excellent write-up on what to look for and lockdown.

Conclusion

SMBGhost is a very problematic vulnerability, and while there are no public RCE exploits as of this writing, exploits that trigger a Denial of Service condition are readily available. RCE exploits won't be far behind. Because of this, we recommend that all system and network administrators make a plan to apply the available patch as soon as they can. The additional workarounds and firewall tuning can also help mitigate this issue until it's possible to apply the patch.

Trustwave is currently in the process of vulnerability checks and IDPS signatures covering this vulnerability, both of which will be available to customers in the next couple of days.

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More