SMBGhost SMBv3 Remote Code Execution Vulnerability

Microsoft has released details of a buffer overflow vulnerability, known as SMBGhost (also known as Bluesday, CoronaBlue, DeepBlue 3, NexternalBlue, or Redmond Drift), affecting the Server Message Block version 3.1.1 (SMBv3) protocol. They claim that an unauthenticated remote user could exploit this vulnerability to execute arbitrary code on vulnerable systems.

Threat ID:: CC-3390
Category:
Threat Severity:: High
Threat Vector:
Published:: 11 March 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Windows 10

Microsoft Windows 10 - Versions 1903 & 1909
Microsoft Windows Server 2019 - Versions 1903 & 1909

Microsoft Windows Server

Threat details

The vulnerability is a result of SMBv3 mishandling improperly crafted compressed data packets. By sending maliciously crafted packets, an attacker may be able to take control of an affected system. If this system is acting as an SMBv3 server, the attacker would then be able to access any SMBv3 clients that may connect to it.

As this vulnerability occurs pre-authentication, it can be classed as 'wormable' and could be used as a method to propagate malware without requiring user interaction.

Update 10 Jun 2020

A proof of concept exploit has been published for the SMBGhost vulnerability. The release of the proof of concept code significantly increases the likelihood of attacks attempting to exploit vulnerable systems. Any remaining unpatched devices should be updated immediately or alternative mitigation applied as described below.

Microsoft Defender ATP users can view and export a list of affected devices at this link: https://securitycenter.windows.com/vulnerabilities?search=cve-2020-0796

For further information:

Remediation steps

Type	Step
	Microsoft has released out-of-band updates to address SMBGhost in all known vulnerable products. Affected organisations are encouraged to review Microsoft's KB article and apply any updates immediately. Organisations that cannot apply the updates should consider Microsoft’s recommendation to disable SMB compression using the following PowerShell command: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force Please note that this only prevents exploitation of the vulnerability against SMBv3 servers. Systems acting as SMBv3 clients will still be exposed. Affected organisations should also consider blocking all inbound and outbound connections over TCP port 445 at their perimeter firewall. To help prevent the propagation of related attacks, inbound TCP port 445 connections can also be blocked using host-based firewalls.

Type

Step

Microsoft has released out-of-band updates to address SMBGhost in all known vulnerable products. Affected organisations are encouraged to review Microsoft's KB article and apply any updates immediately.

Organisations that cannot apply the updates should consider Microsoft’s recommendation to disable SMB compression using the following PowerShell command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Please note that this only prevents exploitation of the vulnerability against SMBv3 servers. Systems acting as SMBv3 clients will still be exposed.

Affected organisations should also consider blocking all inbound and outbound connections over TCP port 445 at their perimeter firewall. To help prevent the propagation of related attacks, inbound TCP port 445 connections can also be blocked using host-based firewalls.

CVE Vulnerabilities

Status

CVE-2020-0796

Last edited: 29 June 2021 12:01 pm