CVE-2020-0796 AKA SMBGhost
- A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.
- An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
- To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
- The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
- Vulnerability was discovered by Microsoft Platform Security Assurance & Vulnerability Research team.
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
Ned Pyle statements
Ned Pyle, SMB protocol Authority, Microsft, made some important statements on Twitter:
- Disabling SMB compression via registry will have no effect on performance or transfer behaviors. This is a new feature coming to the protocol; It's present only to ensure network & storage vendors could understand the new capability/not break.
- The patch for the SMB compression RCE is released. ... It applies to all Windows 10 version 1903 & 1909, and Windows Server version 1903 & 1909. Does not apply to Windows Server 2019, W10 LTSC, or any older OSes and versions.
He made also some very strong guidance regarding "Preventing SMB traffic from lateral connections and entering or leaving the network"
- Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
- ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression : https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
- Microsoft Security Update details : https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762
- Security Update catalog : https://www.catalog.update.microsoft.com/Search.aspx?q=KB4551762
- Check @synacktiv write up: https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html
- Security Gateway R80 / R77 / R75 - In the IPS tab, click Protections and find the Microsoft Windows SMBv3 Remote Code Execution (CVE-2020-0796) protection using the Search tool and Edit the protection's settings. - Install policy on all Security Gateways. - This protection's log will contain the following information: * Attack Name: Web Server Enforcement Violation. * Attack Information: Microsoft Windows SMBv3 Remote Code Execution (CVE-2020-0796)
- * 1:53427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules) - * 1:53428 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules) - * 1:53425 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules) - * 1:53426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules)
- Signature ID : 48773 MS.SMB.Server.Compression.Transform.Header.Memory.Corruption
- Detection seems done through the Automatic Exploit Prevention functionality
Network Security Platform (IPS)
- The Network Security Platform team released signature set release version 10.8.7.2 on March 10, 2020 to detect this vulnerability. - The signature has the following attack name and ID: * Attack Name: NETBIOS-SS: Samba Remote Code Execution Vulnerability (CVE-2020-0796) * Attack ID: 0x43c0e600 - See KB55446 for release notes and additional information about the emergency signature set release. - The referenced article is available only to registered ServicePortal users.
Palo Alto Networks
Cortex XDR and Traps can:
- Stop the vulnerability exploit on unpatched Windows 10 systems. - To gain protection, customers should ensure they are running the latest agent versions, specifically **XDR agent 7.0.1 or later and Traps agent 6.1.5 or later**. - To mitigate this vulnerability the latest XDR and Traps agents will deploy the following methods of protection - Per the recommendation from Microsoft, the agent will disable SMBv3 compression through the OS registry. - Prevents exploit attempts by monitoring for malicious network packets that leverage this SMB exploit technique. The admin will be able to review the relevant Behavioral Threat Protection (BTP) alert which will be triggered by a BTP rule named **bioc.smb_compress_exploit**
- can stop the exploit with static signature detections.
- will automatically stop sessions when this vulnerability is detected via the Palo Alto Networks IPS security solution, relevant Threat IDs are: **57778 and 57775**.
ProofPoint (Emerging Threat PRO)
- 2841453 - ETPRO EXPLOIT Possible SMBv3 Exploitation Attempt (CVE-2020-0796) (exploit.rules)
- Changelog suricata-4.0-enhanced etpro Tue Mar 10 20:27:56 2020
- OS Attack: Microsoft Server Message Block RCE CVE-2020-0796
- Please note that Sophos may release additional detections for these or other vulnerabilities in the future.
- Signatures 2302022 and 2301958 are supported by all versions of the Sophos IPS products.
XG version 18
- Signatures 2301960 and 2302002 have been also created for XG version 18 to provide generic detection coverage, leveraging more advanced capabilities in that platform.
Advanced Cloud Firewall signature:
Advanced Cloud Sandbox:
Errors, typos, something to say ?
- Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak