The March “Tuesday of updates” did not include a patch for the vulnerability CVE-2020-0796, information about which was mistakenly published by experts from Cisco Talos and Fortinet in the public domain. Recently, security professionals published PoC exploits for this vulnerability called SMBGhost.Problem CVE-2020-0796, also called SMBGhost, affects SMBv3, though Windows 10 1903, Windows 10 1909, Windows Server 1903, and Windows Server 1909 are also vulnerable to the bug.
Let me remind you that the SMB protocol a few years ago helped the distribution of WannaCry and NotPetya around the world. Recently Microsoft strongly recommended disabling SMBv1 in Microsoft Exchange, as it cannot come up with patches for this protocol.
Last month, Kryptos Logic experts estimated that about 48,000 hosts with an open SMB port, which are vulnerable to potential attacks with a new bug, can be found on the Internet.
“The vulnerability is a buffer overflow on Microsoft SMB servers. The problem manifests when the vulnerable software processes a malicious compressed data packet. A remote and unauthenticated attacker can use this to execute arbitrary code in the application context”, – say Fortinet experts.
A similar description of the problem was published and then removed from the Cisco Talos blog. The company claimed that “exploiting the vulnerability opens up systems for attacks with worm potential,” meaning the problem could easily spread from victim to victim.
Due to a leak in mid-March, Microsoft engineers were forced to urgently prepare an extraordinary patch for this vulnerability. The hotfix is available as KB4551762 for Windows 10, versions 1903 and 1909, as well as Windows Server 2019 versions 1903 and 1909.
Researchers have now created and published tools that can be used to find vulnerable servers, and have also released PoC exploits that help achieve denial of service (DoS).
While PoC for remote code execution has not yet been published due to its danger, ZecOps experts have developed and released PoC, which demonstrates how SMBGhost can be used to elevate privileges to SYSTEM. Additionally, ZecOps researchers published a blog report with the technical details of an attack on local privilege escalation.
Independent experts Daniel Garcia Gutierrez and Manuel Blanco Parajon presented another similar exploit for SMBGhost.
Experts remind users about importance for timely installation of updates, since the appearance of an RCE-exploit in the public domain is definitely not far.