Proof of Concept Exploit Released for Critical SMBGhost Windows 10 SMBv3 Vulnerability

A functional proof of concept (PoC) exploit for a critical remote code execution vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol has been released and is being used by malicious cyber actors to attack vulnerable systems, according to an alert issued by the DHS Cybersecurity and Infrastructure Security Agency (CISA).

The vulnerability, referred to as SMBGhost, is due to the way the SMBv3 protocol handles certain requests. If exploited, a malicious cyber actor could remotely execute code on a vulnerable server or client by sending a specially crafted packet to a targeted SMBv3 server. An attack against a client would also be possible if an attacker configured a malicious SMBv3 server and convinced a user to connect to it.

The vulnerability could be exploited to spread malware from one vulnerable system to another in a similar fashion to the SMBv1 vulnerability that was exploited in the 2017 WannaCry ransomware attacks. No user interaction is required to exploit the flaw on vulnerable SMBv3 servers.

The flaw – tracked as CVE-2020-0796 – is present in Windows 10 versions 1909 and 1903 and was the subject of a Microsoft security advisory in early March. The flaw received a maximum CVSS v3 severity rating of 10 out of 10.

Microsoft released a patch to correct the flaw in early March; however, almost three months on and many organizations have yet to apply the patch and are vulnerable to attack. Microsoft also released details of a workaround to prevent exploitation, which involves disabling SMBv3 compression.

While the workaround would prevent the flaw from being exploited on a SMBv3 server, it would not prevent an attack on a client. The workaround involves running a simple PowerShell command. No reboot is required after the command has been executed. Details are available here. Scanners are available on GitHub that can be used to check for the CVE-2020-0796 vulnerability.

Security researchers developed exploits for the flaw with limited success, but the PoC exploit now available would allow an attacker to escalate local privileges and deliver malware. The PoC exploit is not 100% reliable, but more refined exploits are expected to be released. In its current form it could be used to successfully attack a vulnerable SMBv3 server. If the exploit were to fail, an attacker could simply keep on trying until it worked.

CISA strongly recommends that all organizations apply the patch to prevent exploitation. If the patch cannot be applied, the workaround should be used and SMB ports should be blocked from the internet using a firewall until the patch can be applied.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.