Request a Demo

Fixing The SMBGhost Vulnerability (CVE-2020-0796)

Microsoft have accidentally revealed information regarding a security update for a wormable vulnerability SMBGhost (CVE-2020-0796) in the Microsoft Server Message Block protocol.  

So First - How Can You Fix SMBGhost?

While there isn’t a practical patch out there for the SMBGhost vulnerability just yet, consider implementing the following workarounds to mitigate the risk immediately: 

Disable SMBv3 compression

You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

 

Notes: 
 
1. No reboot is needed after making the change. 
2. This workaround does not prevent exploitation of SMB clients. 
 
You can disable the workaround with the following PowerShell command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

 

Source: Microsoft Security Advisory ADV200005

Block inbound and outbound SMB

Consider blocking outbound SMB connections (TCP port 445 for SMBv3) from the local network to the WAN. Also ensure that SMB connections from the internet are not allowed to connect inbound to an enterprise LAN. 

What's SMBGhost's impact?

SMBv3 contains a vulnerability in the way it handles connections that use compression. By connected to such vulnerable Windows machine running SMBv3 or causing a vulnerable Windows system to initiate a client connection to a SMBv3 server, a remote, unauthenticated attacker would be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. 

Researchers from the cybersecurity firm Kryptos Logic have found roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the vulnerability CVE-2020-0796. "The SMB bug appears trivial to identify, even without the presence of a patch to analyze" they say. 

DoS POC Demoed 

Microsoft have shared a demo of a DOS POC exploit developed by researcher Marcus Hutchins (aka MalwareTech). 

To learn more about how Vulcan can help you orchestrate remediation, speak with one of our experts.

Sources for the article: 


 

 

 

 

Don’t miss out on the latest

Get notified on Industry updates.
we promise not to spam

Related Posts

Popular Articles

03.3.2020 | vulnerabilities , Ghostcat

| Posted by Yonatan Amitay
The Apache Tomcat servers that have been released over the last thirteen years are vulnerable to a bug known as “Ghostcat” (CVE-2020-1938) that ...
Read more
  With nearly 15,000 new vulnerabilities discovered in 2017, and even more expected this year – the competition for ‘worst vulnerability’ is a tough ...
Read more

11.1.2018 | vulnerabilities

| Posted by Roy Horev
The best way to share information about the risks associated with vulnerabilities is via quantifying these risks – i.e. metrics. The question is, ...
Read more