Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave's 2024 Financial Services Threat Reports Highlight Alarming Trends in Insider Threats & Phishing-as-a-Service. Learn More
Last week Microsoft announced that there was a buffer overflow vulnerability in SMBv3 (CVE-2020-0796) as implemented in Windows 10 and Windows Server (versions 1903 and 1909). The CVE wasn't initially included in last week's Patch Tuesday, but after news of the vulnerability leaked, Microsoft was forced to release details and an "out of band" patch on Thursday, March 12th. All Windows administrators should check to see if they are vulnerable to this issue and patch as soon as possible where they are.
Server Messenger Block (SMB) is a Microsoft protocol that allows sharing resources like file shares and printers on the network. In this case, a vulnerability exists in SMBv3 (specifically version 3.1.1) where an attacker puts malicious payload into a compressed SMB connection. When the client or server attempts to decompress the stream, the attacker controlled data ends up in a memory buffer without proper bounds checking. The result is a classic buffer overflow attack where the attacker's code is executed in memory at SYSTEM level privileges.
Another issue is the fact that an attacker can exploit the vulnerability before any authentication takes place. So the exploit scenario ends up being the ability to remotely execute arbitrary code at SYSTEM level privileges without having to provide any authentication. This is why the vulnerability is considered "wormable." In other words, the conditions are such that an attacker could write malware that would automatically exploit this vulnerability, then use the exploited system to scan for and attack other vulnerable hosts.
Luckily exposure to this vulnerability is a bit limited. Since the compression option in SMB was only introduced recently (April 2019 in the case of version 1903 and November 2019 for version 1909). Therefore this flaw only affects:
Researchers love naming these types of vulnerabilities and have called this one names like EternalDarkness and CoronaBlue. However, SMBGhost seems to be the one that is taking hold in the industry.
You can't mitigate a problem you don't know the scope of, so we recommend you have an up-to-date inventory of the systems and operating systems on your network. There are several open source scanners that can help you look for this specific vulnerability. Here are two scanners written in Python:
Once you've enumerated which systems are vulnerable, the most straightforward mitigation is to apply the patch available from Microsoft here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
If you are unable to patch at this moment, there is a workaround to disable SMB compression on the server-side. The following Powershell command will accomplish this:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Please note that this workaround will only secure SMB servers and not the clients. A client that is tricked into connecting to a malicious SMB server could still be exploited.
In addition to these steps, this might be a good time to give your perimeter firewalls an audit to make sure you aren't exposing SMB ports to potential attackers. Microsoft has an excellent write-up on what to look for and lockdown.
SMBGhost is a very problematic vulnerability, and while there are no public RCE exploits as of this writing, exploits that trigger a Denial of Service condition are readily available. RCE exploits won't be far behind. Because of this, we recommend that all system and network administrators make a plan to apply the available patch as soon as they can. The additional workarounds and firewall tuning can also help mitigate this issue until it's possible to apply the patch.
Trustwave is currently in the process of vulnerability checks and IDPS signatures covering this vulnerability, both of which will be available to customers in the next couple of days.
Karl Sigler is Security Research Manager, SpiderLabs Threat Intelligence at Trustwave. Karl is a 20- year infosec veteran responsible for research and analysis of current vulnerabilities, malware and threat trends at Trustwave. Follow Karl on LinkedIn.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.