PricingCareersContact Us
< Back to Blog

What is the SMBGhost Vulnerability (CVE-2020-0796)?

Yonatan Amitay
 | Mar 12, 2020
 | Vulcan Cyber security researcher

Microsoft have accidentally revealed information regarding a security update for a wormable vulnerability SMBGhost (CVE-2020-0796) in the Microsoft Server Message Block protocol.  

So First – How Can You Fix SMBGhost?

While there isn’t a practical patch out there for the SMBGhost vulnerability just yet, consider implementing the following workarounds to mitigate the risk immediately: 

Disable SMBv3 compression

You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below:

Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD -Value 1 -Force

 

Notes: 
 
1. No reboot is needed after making the change. 
2. This workaround does not prevent exploitation of SMB clients. 
 
You can disable the workaround with the following PowerShell command:

Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD -Value 0 -Force

 

Source: Microsoft Security Advisory ADV200005

Block inbound and outbound SMB

Consider blocking outbound SMB connections (TCP port 445 for SMBv3) from the local network to the WAN. Also ensure that SMB connections from the internet are not allowed to connect inbound to an enterprise LAN. 

What’s SMBGhost’s impact?

SMBv3 contains a vulnerability in the way it handles connections that use compression. By connected to such vulnerable Windows machine running SMBv3 or causing a vulnerable Windows system to initiate a client connection to a SMBv3 server, a remote, unauthenticated attacker would be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. 

Researchers from the cybersecurity firm Kryptos Logic have found roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the vulnerability CVE-2020-0796. “The SMB bug appears trivial to identify, even without the presence of a patch to analyze” they say. 

DoS POC Demoed 

Microsoft have shared a demo of a DOS POC exploit developed by researcher Marcus Hutchins (aka MalwareTech). 

To learn more about how Vulcan can help you orchestrate remediation, speak with one of our experts.

Sources for the article: 

 

 

 

 

 

About the Author

Yonatan Amitay

Yonatan is a member of the Vulcan Cyber research team working to put more intelligence into remediation. He is perfectly suited for the job with experience as a full stack developer, Python developer, and as a cyber security infrastructure engineer.

Popular Posts

3 Keys to Actionable Cybersecurity Threat Intelligence

Read More >

A Closer Look at Vulnerability Disclosure Policy

Read More >

A History of the Vulnerability Management Lifecycle

Read More >
< Back to Blog
Did you find this interesting? Share it with others:

Be a Fixer