Microsoft Windows – ‘SMBGhost’ Remote Code Execution (CVE-2020-0796)

DESCRIPTION

Server Message Block (SMB) is a protocol which is commonly found in windows based systems. This is a common method for sharing folder and accessing them via network. This method is quite common which makes this vulnerability very dangerous as even large enterprises usually have common shared location where they can store and retrieve files.

IMPACT
This vulnerability can lead towards development of many malware / ransomware which will spread via the network and have the potential to perform Remote Command Execution (RCE) to the victim’s workstation. File servers can also be targeted as some of the editions of the servers are also affected. Any such attack can easily disrupt business and incur downtime.

SYSTEM AFFECTED
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)

RECOMMENDATIONS

1. Install latest updates provided by Microsoft
2. Disable the SMBv3 compression in the system by executing the following command in the powershell.

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force

REFERENCES

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
• https://packetstormsecurity.com/files/156732/Microsoft-Windows-SMB-3.1.1-Remote-Code-Execution.html
• https://www.bleepingcomputer.com/news/security/windows-10-smbghost-rce-exploit-demoed-by-researchers/