Loading...
Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

SMBGhost (CVE-2020-0796): a Critical SMBv3 RCE Vulnerability

Overview

Last week Microsoft announced that there was a buffer overflow vulnerability in SMBv3 (CVE-2020-0796) as implemented in Windows 10 and Windows Server (versions 1903 and 1909). The CVE wasn't initially included in last week's Patch Tuesday, but after news of the vulnerability leaked, Microsoft was forced to release details and an "out of band" patch on Thursday, March 12th. All Windows administrators should check to see if they are vulnerable to this issue and patch as soon as possible where they are.

Server Messenger Block (SMB) is a Microsoft protocol that allows sharing resources like file shares and printers on the network. In this case, a vulnerability exists in SMBv3 (specifically version 3.1.1) where an attacker puts malicious payload into a compressed SMB connection. When the client or server attempts to decompress the stream, the attacker controlled data ends up in a memory buffer without proper bounds checking. The result is a classic buffer overflow attack where the attacker's code is executed in memory at SYSTEM level privileges.

Another issue is the fact that an attacker can exploit the vulnerability before any authentication takes place. So the exploit scenario ends up being the ability to remotely execute arbitrary code at SYSTEM level privileges without having to provide any authentication. This is why the vulnerability is considered "wormable." In other words, the conditions are such that an attacker could write malware that would automatically exploit this vulnerability, then use the exploited system to scan for and attack other vulnerable hosts.

Luckily exposure to this vulnerability is a bit limited. Since the compression option in SMB was only introduced recently (April 2019 in the case of version 1903 and November 2019 for version 1909). Therefore this flaw only affects:

  • Windows 10 Version 1903, 1909
  • Windows Server Version 1903, 1909

Researchers love naming these types of vulnerabilities and have called this one names like EternalDarkness and CoronaBlue. However, SMBGhost seems to be the one that is taking hold in the industry.

Mitigations

You can't mitigate a problem you don't know the scope of, so we recommend you have an up-to-date inventory of the systems and operating systems on your network. There are several open source scanners that can help you look for this specific vulnerability. Here are two scanners written in Python:

Once you've enumerated which systems are vulnerable, the most straightforward mitigation is to apply the patch available from Microsoft here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

If you are unable to patch at this moment, there is a workaround to disable SMB compression on the server-side. The following Powershell command will accomplish this:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Please note that this workaround will only secure SMB servers and not the clients. A client that is tricked into connecting to a malicious SMB server could still be exploited.

In addition to these steps, this might be a good time to give your perimeter firewalls an audit to make sure you aren't exposing SMB ports to potential attackers. Microsoft has an excellent write-up on what to look for and lockdown.

Conclusion

SMBGhost is a very problematic vulnerability, and while there are no public RCE exploits as of this writing, exploits that trigger a Denial of Service condition are readily available. RCE exploits won't be far behind. Because of this, we recommend that all system and network administrators make a plan to apply the available patch as soon as they can. The additional workarounds and firewall tuning can also help mitigate this issue until it's possible to apply the patch.

Trustwave is currently in the process of vulnerability checks and IDPS signatures covering this vulnerability, both of which will be available to customers in the next couple of days.

Recent SpiderLabs Blog Posts