Executive Summary: A functional remote code execution (RCE) proof of concept has been publicly released for CVE-2020-0796 (a.k.a. SMBGhost, NexternalBlue, CoronaBlue). Previous research was only able to achieve local privilege escalation (LPE).
SMBGhost is caused by a flaw in the SMBv3 protocol that mishandles certain requests. An unauthenticated attacker can target an SMBv3 server or create a malicious server to target a client using SMBv3 and gain the ability to execute code on the target using specially crafted packets. The vulnerability has a CVSS severity score of 10, which is the highest possible severity.
SMBGhost has been used for LPE in a live attack payload, in which the code was signed by the same signing organisation used by the Maze Group. Researchers continued to work on an exploit since the vulnerability’s discovery, and now a proof of concept has been released by Twitter user @Chompie that demonstrates remote code execution, which would enable a remote unauthenticated attacker to gain unlimited access to the target machine. This is especially dangerous, as SMB services exposed to the Internet could lead to scenarios like those seen in the WannaCry and NotPetya attacks, which leveraged the EternalBlue vulnerability in SMBv1. While the RCE exploit is not 100% reliable, with some attempts resulting in reboots or BSOD, repeated attempts against the same target will eventually yield a successful exploit.
CVE-2020-0796 was patched by Microsoft in March with KB4551762, which applies to all editions of Windows 10 versions 1903 and 1909, and all editions of Windows Server versions 1903 and 1909. Users of these operating systems should update to the latest build of these versions immediately. If immediate patching is not possible, Microsoft has published instructions to mitigate the threat; the workaround is only effective for SMBv3 servers, however, and clients remain vulnerable. As such, the best option is to expedite the application of the security patch to both server and client machines.
Detect: KB4551762, the patch for CVE-2020-7096, was released on 2020-03-12 for both Windows 10 and Windows Server. The OS build increment is 18362.720 and 18363.720 for versions 1903 and 1909, respectively. To check the OS build of a Windows 10/Server host, go to Start > Settings > System > About; if the build number is lower than those specified, the latest Windows updates should be installed immediately.
The ITC Managed VI service can also help identify devices which have not been patched. This will either be picked up in current running scans or if you need an ad-hoc scan please contact the ITC SOC.
The following products are vulnerable to CVE-2020-0796:
- Windows 10, version 1903 32-bit and x64-based systems
- Windows 10, version 1903 for ARM64-based systems
- Windows 10, version 1909 32-bit and x64-based systems
- Windows 10, version 1909 for ARM64-based systems
- Windows Server, version 1903 (including Windows Server Core installation)
- Windows Server, version 1909 (including Windows Server Core installation)
Prevent: Organisations should ensure that the latest Windows Updates are applied, and the SMB service is not exposed to the Internet. If patching is not possible immediately, system administrators can apply Microsoft’s recommended workaround usi the following Powershell command to disable SMBv3 Compression:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
To disable the workaround, use the same Powershell command to set the registry value back to ‘0’. Please note:
- This workaround does not prevent the exploitation of SMBv3 clients, only servers.
- No reboot is required to enable or disable SMB Compression.
- SMB Compression is not yet used by Windows 10 or Windows Server, so there is no negative impact to the workaround.
React: In addition to ensuring that affected systems are updated as soon as possible, oganisations should ensure that antivirus solutions are updated and should monitor for indicators of compromise; in particular, monitor for events associated with the AVE_MARIA (a.k.a Warzone) RAT. Organisations should ensure no SMB service is exposed to the Internet, and any internally exposed SMB services are limited to necessary use only and monitored appropriately.
Patching policies may need to be reviewed to determine whether they unduly delay the patching schedule.