The SMBGhost vulnerability in Windows 10 that was patched by Microsoft in March 2020 is being actively exploited in the wild, according to a recent alert from the Department of Homeland Security Cybersecurity Infrastructure and Security Agency (CISA).
The vulnerability, tracked as CVE-2020-0796, is a critical wormable vulnerability that’s as bad as it gets. The flaw was assigned a CVSSv3 score of 10 out of 10, with Microsoft previously warning that exploitation was likely.
Microsoft issued a security advisory about the flaw in early March and published details of mitigations that could be implemented to prevent exploitation. A patch was released just a couple of days later. Almost three months have now passed since the patch was released, but there are still many organizations that have yet to fix the vulnerability.
The SMBGhost flaw, also referred to as CoronaBlue, was introduced in Windows 10 version 1903 and also affects version 1909 and Windows Server 2019 (versions 1903/1909). Earlier Windows versions are unaffected.
The flaw is an integer overflow vulnerability that is present in the SMBv3.1.1 message decompression routine used by the kernel driver srv2.sys. The flaw could be exploited by sending a specially crafted packet to a vulnerable SMB server. If exploited, an attacker would be able to download and execute malware such as a Trojan, ransomware, or information stealer. It would also be possible to launch further attacks on other servers using similar methods to those used in the WannaCry ransomware attacks of 2017.
Applying the patch will fix the flaw, but failing that, exploitation on a vulnerable SMBv3 server cab be prevented with a single PowerShell command. While this mitigating measure will prevent the flaw from being exploited on a vulnerable server, it will not prevent exploitation on a client.
Mitigation:
Run the following PowerShell Command to disable SMBv3 compression. A reboot is not required:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force
To prevent exploitation on SMB clients, traffic should be blocked at the firewall or TCP Port 445 could be blocked at the enterprise firewall. This would naturally only prevent attacks from outside the organization.
Several proof of concept exploits have been developed by security researchers over the past three months that have been used with limited success, but they have only allowed denial of service (Blue Screen) or local privilege escalation. Now a PoC exploit has been developed that allows remote code execution.
The latest PoC exploit, developed by the researcher Chompie and released for educational purposes, is not perfect and requires some finessing to improve reliability, but it has been independently verified as allowing remote code execution and is sufficient in its current form to use in attacks.
CISA has recommended applying the patch as soon as possible and using a firewall to block SMB ports from the internet.