The March «Tuesday of updates» did not include a patch for the vulnerability CVE-2020-0796, information about which was mistakenly published by experts from Cisco Talos and Fortinet in the public domain. Recientemente, security professionals published PoC exploits for this vulnerability called SMBGhost.
Problema CVE-2020-0796, also called SMBGhost, affects SMBv3, though Windows 10 1903, Windows 10 1909, Servidor de windows 1903, y servidor de windows 1909 are also vulnerable to the bug.
Let me remind you that the SMB protocol a few years ago helped the distribution of WannaCry and NotPetya around the world. Recently Microsoft strongly recommended disabling SMBv1 in Microsoft Exchange, as it cannot come up with patches for this protocol.
El mes pasado, Kryptos Logic experts estimated that acerca de 48,000 Hospedadores with an open SMB port, which are vulnerable to potential attacks with a new bug, can be found on the Internet.
“The vulnerability is a buffer overflow on Microsoft SMB servers. The problem manifests when the vulnerable software processes a malicious compressed data packet. A remote and unauthenticated attacker can use this to execute arbitrary code in the application context”, – say Fortinet experts.
A similar description of the problem was published and then removed from the Cisco Talos blog. The company claimed that “exploiting the vulnerability opens up systems for attacks with worm potential,” meaning the problem could easily spread from victim to victim.
Due to a leak in mid-March, Microsoft engineers were forced to urgently prepare an extraordinary patch for this vulnerability. The hotfix is available as KB4551762 para Windows 10, versiones 1903 y 1909, así como el servidor de Windows 2019 versiones 1903 y 1909.
Researchers have now created and published tools that can be used to find vulnerable servers, and have also released PoC exploits that help achieve denial of service (Del).
While PoC for remote code execution has not yet been published due to its danger, ZecOps experts have developed and released PoC, which demonstrates how SMBGhost can be used to elevate privileges to SYSTEM. Además, ZecOps researchers published a blog report with the technical details of an attack on local privilege escalation.
Independent experts Daniel Garcia Gutierrez y Manuel Blanco Parajon presented another similar exploit for SMBGhost.
Experts remind users about importance for timely installation of updates, since the appearance of an RCE-exploit in the public domain is definitely not far.