The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Live webinar, Oct 13: Attend to learn how you can deduplicate vulnerability and deliver a smarter approach to cyber risk management  | Register  >>

New report: Mapping MITRE ATT&CK framework to CVEs |  Read more  >>

Voyager18 (research)

What is the SMBGhost Vulnerability (CVE-2020-0796)?

[email protected] | March 12, 2020

Microsoft have accidentally revealed information regarding a security update for a wormable vulnerability SMBGhost (CVE-2020-0796) in the Microsoft Server Message Block protocol.  

So First - How Can You Fix SMBGhost?

While there isn’t a practical patch out there for the SMBGhost vulnerability just yet, consider implementing the following workarounds to mitigate the risk immediately: 

Disable SMBv3 compression

You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" DisableCompression -Type DWORD -Value 1 -Force


1. No reboot is needed after making the change. 
2. This workaround does not prevent exploitation of SMB clients. 
You can disable the workaround with the following PowerShell command:

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" DisableCompression -Type DWORD -Value 0 -Force


Source: Microsoft Security Advisory ADV200005

Block inbound and outbound SMB

Consider blocking outbound SMB connections (TCP port 445 for SMBv3) from the local network to the WAN. Also ensure that SMB connections from the internet are not allowed to connect inbound to an enterprise LAN. 

What's SMBGhost's impact?

SMBv3 contains a vulnerability in the way it handles connections that use compression. By connected to such vulnerable Windows machine running SMBv3 or causing a vulnerable Windows system to initiate a client connection to a SMBv3 server, a remote, unauthenticated attacker would be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. 

Researchers from the cybersecurity firm Kryptos Logic have found roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the vulnerability CVE-2020-0796. "The SMB bug appears trivial to identify, even without the presence of a patch to analyze" they say. 

DoS POC Demoed 

Microsoft have shared a demo of a DOS POC exploit developed by researcher Marcus Hutchins (aka MalwareTech). 

To learn more about how Vulcan can help you orchestrate remediation, speak with one of our experts.

Sources for the article: