SMBGhost - Ghosts of the SMB Bugs Still Haunting Security Researchers
Server Message Block (SMB), the network protocol which is used for file sharing and interprocess network communications, has been under controversy for a long time, especially after the Wannacry and NotPetya attacks. Recently, a researcher has publicly disclosed another exploit based on SMB vulnerability, exposing the threat related to this technology.
Exploiting the SMBGhost vulnerability
- Recently, the working code for a critical vulnerability in Microsoft Server Message Block (SMB 3.1.1) was made available, which could allow an attacker to achieve remote code execution on Windows 10 machines.
- This code for the SMBGhost RCE exploit was shared by a researcher with the GitHub username ‘chompie1337’ and was publicly disclosed on Twitter via the Twitter handle ‘Chompie’.
- The exploit relies on a physical read primitive, which may allow exploitation of future SMB memory corruption bugs as well.
Are SMB vulnerabilities dangerous?
The severity of SMB Server vulnerabilities recently caught the eye of the researchers after the popular WannaCry and NotPetya attacks from 2017, which used EternalBlue exploit for SMB v1.
- The current SMBGhost vulnerability, tracked as CVE-2020-0796, affects Windows 10 versions 1909 and 1903, including Server Core.
- In March 2020, the information about this vulnerability was mistakenly leaked by Microsoft, after which Microsoft had released a critical patch to fix this issue.
Stay protected with patches and workarounds
In March 2020, Microsoft released the patch update (KB4551762) to fix this issue. Microsoft also provided several workarounds, including disabling the compression on SMBv3 servers and blocking the TCP port 445 (wherever applicable) at the enterprise perimeter firewall.