SMBGhost SMBv3 Remote Code Execution Vulnerability

Microsoft has released details of a buffer overflow vulnerability, known as SMBGhost (also known as Bluesday, CoronaBlue, DeepBlue 3, NexternalBlue, or Redmond Drift), affecting the Server Message Block version 3.1.1 (SMBv3) protocol. They claim that an unauthenticated remote user could exploit this vulnerability to execute arbitrary code on vulnerable systems.

Threat ID:: 3390
Category:: Worm
Threat Severity:: High
Threat Vector:: Insecure network, Vulnerability, Zero day
Published:: 11 March 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: 1903 & 1909

Windows 10

Versions: 1903 & 1909

Microsoft Windows Server

Threat details

The vulnerability is a result of SMBv3 mishandling improperly crafted compressed data packets. By sending maliciously crafted packets, an attacker may be able to take control of an affected system. If this system is acting as an SMBv3 server, the attacker would then be able to access any SMBv3 clients that may connect to it.

As this vulnerability occurs pre-authentication, it can be classed as 'wormable' and could be used as a method to propagate malware without requiring user interaction.

There are now a number of publicly available exploits for SMBGhost, with some incorporating the newer SMBleed vulnerability, in what is being referred to as SMBleedingGhost.

For further information

CERT/CC Vulnerability Note VU#872016

Remediation advice

Microsoft has released out-of-band updates to address SMBGhost in all known vulnerable products. Affected organisations are encouraged to review Microsoft's KB article and apply any updates immediately.

Organisations that cannot apply the updates should consider Microsoft’s recommendation to disable SMB compression using the following PowerShell command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Please note that this only prevents exploitation of the vulnerability against SMBv3 servers. Systems acting as SMBv3 clients will still be exposed.

Affected organisations should also consider blocking all inbound and outbound connections over TCP port 445 at their perimeter firewall. To help prevent the propagation of related attacks, inbound TCP port 445 connections can also be blocked using host-based firewalls.

Remediation steps

Type	Step
Patch	Apply all necessary updates. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

Definitive source of threat updates

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

CVE Vulnerabilities

Status Master

CVE-2020-0796

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.

Last edited: 16 June 2020 11:40 am