Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

SMBGhost CVE-2020-0796 a Critical SMBv3 RCE Vulnerability

Overview

Last week Microsoft announced that there was a buffer overflow vulnerability in SMBv3 (CVE-2020-0796) as implemented in Windows 10 and Windows Server (versions 1903 and 1909). The CVE wasn't initially included in last week's Patch Tuesday, but after news of the vulnerability leaked, Microsoft was forced to release details and an "out of band" patch on Thursday, March 12th. All Windows administrators should check to see if they are vulnerable to this issue and patch as soon as possible where they are.

Server Messenger Block (SMB) is a Microsoft protocol that allows sharing resources like file shares and printers on the network. In this case, a vulnerability exists in SMBv3 (specifically version 3.1.1) where an attacker puts malicious payload into a compressed SMB connection. When the client or server attempts to decompress the stream, the attacker controlled data ends up in a memory buffer without proper bounds checking. The result is a classic buffer overflow attack where the attacker's code is executed in memory at SYSTEM level privileges.

Another issue is the fact that an attacker can exploit the vulnerability before any authentication takes place. So the exploit scenario ends up being the ability to remotely execute arbitrary code at SYSTEM level privileges without having to provide any authentication. This is why the vulnerability is considered "wormable." In other words, the conditions are such that an attacker could write malware that would automatically exploit this vulnerability, then use the exploited system to scan for and attack other vulnerable hosts.

Luckily exposure to this vulnerability is a bit limited. Since the compression option in SMB was only introduced recently (April 2019 in the case of version 1903 and November 2019 for version 1909). Therefore this flaw only affects:

  • Windows 10 Version 1903, 1909
  • Windows Server Version 1903, 1909

Researchers love naming these types of vulnerabilities and have called this one names like EternalDarkness and CoronaBlue. However, SMBGhost seems to be the one that is taking hold in the industry.

Mitigations

You can't mitigate a problem you don't know the scope of, so we recommend you have an up-to-date inventory of the systems and operating systems on your network. There are several open source scanners that can help you look for this specific vulnerability. Here are two scanners written in Python:

Once you've enumerated which systems are vulnerable, the most straightforward mitigation is to apply the patch available from Microsoft here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

If you are unable to patch at this moment, there is a workaround to disable SMB compression on the server-side. The following Powershell command will accomplish this:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Please note that this workaround will only secure SMB servers and not the clients. A client that is tricked into connecting to a malicious SMB server could still be exploited.

In addition to these steps, this might be a good time to give your perimeter firewalls an audit to make sure you aren't exposing SMB ports to potential attackers. Microsoft has an excellent write-up on what to look for and lockdown.

Conclusion

SMBGhost is a very problematic vulnerability, and while there are no public RCE exploits as of this writing, exploits that trigger a Denial of Service condition are readily available. RCE exploits won't be far behind. Because of this, we recommend that all system and network administrators make a plan to apply the available patch as soon as they can. The additional workarounds and firewall tuning can also help mitigate this issue until it's possible to apply the patch.

Trustwave is currently in the process of vulnerability checks and IDPS signatures covering this vulnerability, both of which will be available to customers in the next couple of days.

About the Author

Karl Sigler is Security Research Manager, SpiderLabs Threat Intelligence at Trustwave. Karl is a 20-year infosec veteran responsible for research and analysis of current vulnerabilities, malware and threat trends at Trustwave. Follow Karl on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo