A warning issued by the DHS Cybersecurity and Infrastructure Security Agency (CISA) stated that there is a functional proof of concept (PoC) exploit associated with a critical remote code execution vulnerability identified in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol released, which malicious cyber actors are using to attack insecure systems.
The vulnerability, known as SMBGhost, results from the method used by the SMBv3 protocol to handle particular requests. In case exploited by a malicious cyber actor, it is possible to remotely execute code on an insecure server or client through sending of a specially made packet to a target SMBv3 server. A client attack will likewise be possible when an attacker tweaked a malicious SMBv3 server that convinced an end-user to link up to it.
The vulnerability can be used to pass on malware from one insecure system to another just like the SMBv1 vulnerability, which was exploited during the WannaCry ransomware attacks in 2017. User interaction is not necessary for the exploitation of the vulnerability on insecure SMBv3 servers.
A Microsoft security alert in early March talked about vulnerability CVE-2020-0796, which is identified in Windows 10 versions 1903 and 1909. The vulnerability obtained the maximum CVSS v3 severity score of 10.
Microsoft issued a patch to fix the vulnerability in early March; even so, roughly three months after, a lot of organizations still have not yet applied the patch and are susceptible to exploitation. Microsoft additionally issued recommendations of a workaround to avert exploitation, which entails deactivating SMBv3 compression.
Though the workaround could hinder the exploitation of the vulnerability on a SMBv3 server, it wouldn’t stop client attacks. The workaround entails performing a basic PowerShell command. After the execution of the command, no reboot is necessary. Information can be read here. There are scanners on GitHub which can be employed to identify the CVE-2020-0796 vulnerability.
Security researchers created exploits for the vulnerability with partial success, however the PoC exploit currently available could enable an attacker to increase local privileges and spread malware. The PoC exploit isn’t 100% efficient, nonetheless more refined exploits are likely to be issued. In its present form, it can be employed to effectively attack an insecure SMBv3 server. If the exploit fails, an attacker can just continue trying until it successfully works.
CISA strongly suggests patch application for all companies to avoid exploitation. In case it’s not possible to apply the patch, the workaround must be employed and SMB ports must be blocked from internet access by using a firewall until it’s possible to apply a patch.