What is the SMBGhost Vulnerability (CVE-2020-0796)?
Microsoft have accidentally revealed information regarding a security update for a wormable vulnerability SMBGhost (CVE-2020-0796) in the Microsoft Server Message Block protocol.
So First – How Can You Fix SMBGhost?
While there isn’t a practical patch out there for the SMBGhost vulnerability just yet, consider implementing the following workarounds to mitigate the risk immediately:
Disable SMBv3 compression
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below:
|Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD -Value 1 -Force|
1. No reboot is needed after making the change.
2. This workaround does not prevent exploitation of SMB clients.
You can disable the workaround with the following PowerShell command:
|Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD -Value 0 -Force|
Block inbound and outbound SMB
Consider blocking outbound SMB connections (TCP port 445 for SMBv3) from the local network to the WAN. Also ensure that SMB connections from the internet are not allowed to connect inbound to an enterprise LAN.
What’s SMBGhost’s impact?
SMBv3 contains a vulnerability in the way it handles connections that use compression. By connected to such vulnerable Windows machine running SMBv3 or causing a vulnerable Windows system to initiate a client connection to a SMBv3 server, a remote, unauthenticated attacker would be able to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Researchers from the cybersecurity firm Kryptos Logic have found roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the vulnerability CVE-2020-0796. “The SMB bug appears trivial to identify, even without the presence of a patch to analyze” they say.
DoS POC Demoed
Microsoft have shared a demo of a DOS POC exploit developed by researcher Marcus Hutchins (aka MalwareTech).
To learn more about how Vulcan can help you orchestrate remediation, speak with one of our experts.
Sources for the article: