Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
BlueTeam CheatSheet * CVE-2020-0796 * SMBGhost | Last updated: 2020-03-18 1238 UTC

CVE-2020-0796 AKA SMBGhost

General

  • A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests.
  • An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
  • To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
  • The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.
  • Vulnerability was discovered by Microsoft Platform Security Assurance & Vulnerability Research team.

Affected products:

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

Ned Pyle statements

  • Ned Pyle, SMB protocol Authority, Microsft, made some important statements on Twitter:

    • Disabling SMB compression via registry will have no effect on performance or transfer behaviors. This is a new feature coming to the protocol; It's present only to ensure network & storage vendors could understand the new capability/not break.
    • The patch for the SMB compression RCE is released. ... It applies to all Windows 10 version 1903 & 1909, and Windows Server version 1903 & 1909. Does not apply to Windows Server 2019, W10 LTSC, or any older OSes and versions.
  • He made also some very strong guidance regarding "Preventing SMB traffic from lateral connections and entering or leaving the network"

Sources:

Vulnerability details

Detection

CheckPoint

Signatures

- Security Gateway R80 / R77 / R75
  - In the IPS tab, click Protections and find the Microsoft Windows SMBv3 Remote Code Execution (CVE-2020-0796) protection using the Search tool and Edit the protection's settings.
  - Install policy on all Security Gateways. 
  - This protection's log will contain the following information:
    * Attack Name:  Web Server Enforcement Violation.
    * Attack Information:  Microsoft Windows SMBv3 Remote Code Execution (CVE-2020-0796)

Source

Cisco (SNORT)

Signatures

- * 1:53427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules)
- * 1:53428 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules)
- * 1:53425 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules)
- * 1:53426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB srv2.sys remote code execution attempt (os-windows.rules)

Source

Fortinet

Signatures

- Signature ID : 48773 MS.SMB.Server.Compression.Transform.Header.Memory.Corruption

Source

Kaspersky

Signatures

- Detection seems done through the Automatic Exploit Prevention functionality

Source

McAfee

Signatures

Network Security Platform (IPS)
- The Network Security Platform team released signature set release version 10.8.7.2 on March 10, 2020 to detect this vulnerability.
- The signature has the following attack name and ID: 
  * Attack Name: NETBIOS-SS: Samba Remote Code Execution Vulnerability (CVE-2020-0796)
  * Attack ID: 0x43c0e600

- See KB55446 for release notes and additional information about the emergency signature set release.
- The referenced article is available only to registered ServicePortal users.

Sources

Microsoft

Signatures

- Behavior:Win32/CVE-2020-0796

Source

Palo Alto Networks

Signatures

Cortex XDR and Traps can:
- Stop the vulnerability exploit on unpatched Windows 10 systems. 
- To gain protection, customers should ensure they are running the latest agent versions, specifically **XDR agent 7.0.1 or later and Traps agent 6.1.5 or later**.
- To mitigate this vulnerability the latest XDR and Traps agents will deploy the following methods of protection
- Per the recommendation from Microsoft, the agent will disable SMBv3 compression through the OS registry.
- Prevents exploit attempts by monitoring for malicious network packets that leverage this SMB exploit technique. The admin will be able to review the relevant Behavioral Threat Protection (BTP) alert which will be triggered by a BTP rule named **bioc.smb_compress_exploit**
WildFire
- can stop the exploit with static signature detections.
Next-Generation Firewalls
- will automatically stop sessions when this vulnerability is detected via the Palo Alto Networks IPS security solution, relevant Threat IDs are: **57778 and 57775**.

Source

ProofPoint (Emerging Threat PRO)

Signatures

- 2841453 - ETPRO EXPLOIT Possible SMBv3 Exploitation Attempt (CVE-2020-0796) (exploit.rules)

Source

  • Changelog suricata-4.0-enhanced etpro Tue Mar 10 20:27:56 2020

SYMANTEC (Broadcom)

Signatures

- OS Attack: Microsoft Server Message Block RCE CVE-2020-0796

Source:

SOPHOS

Signatures

- Please note that Sophos may release additional detections for these or other vulnerabilities in the future. 
IPS
- Signatures 2302022 and 2301958 are supported by all versions of the Sophos IPS products.
XG version 18
- Signatures 2301960 and 2302002 have been also created for XG version 18 to provide generic detection coverage, leveraging more advanced capabilities in that platform.

Source:

Zscaler

Signatures

Advanced Cloud Firewall signature:
- Win32.Exploit.CVE-2020-0796
Advanced Cloud Sandbox:
- Win32.Exploit.CVE-2020-0796

Source:

Errors, typos, something to say ?

  • Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.