In March 2020, Microsoft released an official advisory about a critical vulnerability called SMBGhost or CVE-2020-0796. With a CVSS:3.0 score of 10.0, SMBGhost is considered a critical vulnerability and is “wormable” with the potential to replicate and spread over networks. Let’s dive into the SMBGhost vulnerability, its impact, and how you can mitigate it to protect your system and networks.
SMBGhost Vulnerability: What Is It?
SMBGhost, or CVE-2020-0796, is a vulnerability that resides within the Microsoft Server Message Block 3.0 (SMBv3), a protocol introduced by the company to its newer operating systems. This communication protocol enables shared access to files, data, and other assets within an interconnected computer network.
The SMBGhost vulnerability affects the compression feature of SMBv3 (version 3.1.1) and exposes systems that run Windows 10 (1903 and 1909) and Windows Server (1903, 1909). Older versions of the Windows OS, such as Windows 7 and 8, carry no risk of this vulnerability as they don’t support SMBv3 compression.
SMBGhost has worming capabilities, given its ability to spread and replicate over network shares via the SMBv3 (version 3.1.1). To exploit this vulnerability, a threat actor sends a specially crafted SMBv3 packet to a vulnerable server and entices the user to connect to the compromised server. Successful exploitation enables the attacker to execute code on the target SMB server.
The Impact of the SMBGhost Vulnerability
Successful exploitation of the SMBGhost CVE can lead to arbitrary remote execution. By connecting to such a vulnerable Windows machine running SMBv3 or causing a vulnerable Windows system to initiate a client connection to an SMBv3 server, a remote, unauthenticated attacker would be able to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Its potential workability adds to the risk of widespread exploitation. Microsoft has shared a demo of a DOS POC exploit developed by researcher Marcus Hutchins (aka MalwareTech).
Researchers from the cybersecurity firm Kryptos Logic have found roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the vulnerability CVE-2020-0796. “The SMB bug appears trivial to identify, even without the presence of a patch to analyze,” they say.
Recommendations for the SMBGhost
Microsoft has released security updates to mitigate the risk of the SMBGhost vulnerability. To ensure protection for your system, staying up to date with patches is critical. Mitigating threats is more challenging if you don’t know the scope of your vulnerabilities, so we recommend auditing the operating systems on your network and investing in robust vulnerability management software.
Once you’ve identified potentially vulnerable systems, implement Microsoft’s recommended workarounds to prevent attacks against SMBv3 servers.
1. Disable SMBv3 compression
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. However, this workaround will only secure the SMB server, not the end user.
Clients tricked into connecting to a compromised SMB server can still be exploited. Microsoft recommends implementing the best firewall practices and configurations to enhance network security and prevent malicious traffic from entering your network.
You can use the Powershell command below to disable SMBv3 compression:
| Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD -Value 1 -Force |
Notes:
- No reboot is needed after making the change.
- 2. This workaround does not prevent exploitation of SMB clients.
You can disable the workaround with the following PowerShell command:
| Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” DisableCompression -Type DWORD -Value 0 -Force |
2. Block Inbound and Outbound SMB
TCP port 455 can connect with a compromised SMB server. Blocking this port on your perimeter firewall mitigates external attacks. However, you might still be vulnerable to attacks within your enterprise perimeter.
Implementing segmentation by blocking 445 ports on irrelevant assets helps stop lateral movements that may exploit these vulnerabilities. Besides these workarounds, regular audits on your perimeter firewalls, networks, and endpoints help identify potential exposures to SMB exploiters and prevent them before they happen.
Mitigate Cyber Risks with Vulcan
The SMBGhost vulnerability is just one of the numerous threats that leave your organization vulnerable to cyber attacks. Investing in vulnerability management tools strengthens your company’s risk management strategies and addresses critical exposures. Vulcan Cyber provides organizations with a robust risk management solution to accomplish this goal.
With Vulcan, you gain full visibility into and control over your threat environment, from asset management and vulnerability scanning to actual remediation. Experience how Vulcan can make a difference in your organization by signing up for a trial or speaking with one of our team members today!
