After the infamous SMBv1 flaw with the name EternalBlue that was discovered some years ago (and all the consequences it had like WannaCry), a new vulnerability (CVE-2020-0796) affecting SMBv3 has been discovered. The community has started to name this vulnerability SMBGhost because everyone knows this vulnerability is present but no additional details are available. Microsoft also released the advisory ADV200005. [1]

This vulnerability affects only recent version of Windows 10 (Version 1903 and 1909) and Windows Server (version 1903 and 1909). Older Windows’ versions are not affected.

It is possible to perform this attack on server but also on clients. To exploit the vulnerability against clients, an attacker sets up a rogue SMBv3 server and trick a user to connect to it. On the other hand, to perform the attacks against a SMBv3 server, the attacker would send a specially crafted packet to it.

More specifically, the attacker needs to send the victim a compressed packet which will then be erroneously interpreted by the implementation of SMBv3 on the affected Window system. First insights suggest that a buffer overflow is involved in a compression library used to handle compressed data.

Note that this vulnerability could be exploited by a remote unauthenticated attacker.

At the time of this writing there are no additional technical details released by Microsoft even though some very good analysis are already available. [2]

The attack seems to be “wormable”, which means it could be possible for an attacker to spread it automatically on different victims’ machines after compromising one “patient zero”.

Attackers already present in internal networks could take advantage of this vulnerability to directly attack and compromise internal workstations and servers.

The vulnerability does not affect SMBv3 on Linux because Samba does not yet implement the transform header used for compression. [3]

In comparison to the SMBv1 vulnerability EternalBlue, when it was disclosed, SMBv3 is today less used around the world. Also, the absence of a reliable exploit and the need to bypass some other security mechanisms in modern Windows system (like KASLR [4]) complicates the remote code execution exploitation phase. There is however a PoC video available that triggers a blue screen on the victim’s machine [5]. So it’s necessary to implement countermeasures to be protected against successful attacks.

Mitigations

Apply the KB4551762 patch Microsoft released for all affected system [6].

If you can’t apply the patch, Microsoft proposed in the advisory some mitigations and workarounds to protect against this newly discovered vulnerability:

  • Disable SMBv3 compression instantly using the following powershell command (no reboot is needed after this change in the registry):
    • Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
  • Block incoming and outgoing SMB traffic (port 445) on the perimeter firewall of your network

Be aware that an attacker could trick users to connect to a rogue SMBv3 server (e.g. via Phishing Mail or HTML Pages containing fake SMB share paths). For laptops and other devices outside the corporate network another mitigation is to enforce always-on VPN until the patch is installed.

Tools and Resources

The security researcher ollypwn, has recently published a python scanner for this vulnerability on GitHub, available at https://github.com/ollypwn/SMBGhost. You could run it against your servers after activating the above workaround proposed by Microsoft .

Also a YARA rules from LloydLabs is available at https://gist.github.com/LloydLabs/5e9afdaa172be0c5ac516fe399e6a14e.

Nmap NSE Scripts and Snort rules are available on the Claroty GitHub (https://github.com/ClarotyICS/CVE2020-0796).

References

  1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
  2. https://www.synacktiv.com/posts/exploit/im-smbghost-daba-dee-daba-da.html
  3. https://lists.samba.org/archive/samba/2020-March/228876.html
  4. https://twitter.com/MalwareJake/status/1237512624830427136
  5. https://twitter.com/kryptoslogic/status/1238057276738592768
  6. https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762