CISA warns of unpatched Windows 10 SMBGhost vulnerability in Microsoft’s Server Message Block 3.1.1 CVE-2020-0796 being exploited in the wild
You may have heard of the unpatched Windows 10 vulnerability called SMBGhost. The vulnerability has its own unique identifier CVE-2020-0796 and is also called by other names like NexternalBlue, BluesDay, and CoronaBlue and is connected to Microsoft Server Message Block (SMB 3.1.1). It is an extremely critical unpatched vulnerability which can be exploited by potential hackers to spread malware from one vulnerable system to another without the victim’s knowledge or consent.
The SMBGhost vulnerability was disclosed by Microsoft by mistake when it was releasing the Patch Tuesday in March 2020. Till that time nobody knew about the vulnerability but as soon as Microsoft disclosed the unpatched vulnerability in its Bulletin, hackers, security researchers, and cyber criminals started to work on the exploit.
Now it seems that some unknown hacker has created a working exploit, the Proof-of-Concept of which has been leaked online.
If you have updated your Windows 10 PC/laptop to the latest May 2020 or Windows 10 2004 version, you are protected from the SMBGhost bug. SMBGhost affects Windows 10 versions 1909 and 1903, including Server Core.
Proof of Concept video
As you can see from the video, all a potential hacker needs to do is to send a specially crafted message to a targeted SMBv3 server. The vulnerability in Microsoft’s Server Message Block 3.1.1 kicks in allowing the hacker to gain control and arbitrarily execute any code he/she wishes.
After the vulnerability leaked in March, security researchers started to find a way to exploit SMBGhost but the results were limited to local privilege escalation (LPE) and denial of service (blue screen). In April, a security user released a PoC of SMBGhost exploit with Remote Code Execution.
However, the new PoC shows that hackers could gain full control of the Windows 10 PC/laptop using SMBGhost vulnerability.
— Vitali Kremez (@VK_Intel) May 29, 2020
2020-05-30:🆕🔥 #AVE_MARIA aka #Warzone RAT| #Signed 🇸🇮GO ONLINE d.o.o.
1⃣Spreading locally via #SMBGhost & UAC Win7 bypass
2⃣Fixes RDP connection access
3⃣Add PowerShell execution permission
Another malware developer fan
h/t @malwrhunterteam pic.twitter.com/RbZltd0fIM
— Vitali Kremez (@VK_Intel) May 30, 2020
The vulnerability is so severe that the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) today confirmed that the exploit was publicly available and could be used by threat actors for taking over Windows 10 systems/PCs and laptops. The CISA warns, “malicious cyber actors are targeting unpatched systems with the new PoC, according to recent open-source reports.”
The CISA has strongly recommended using a firewall to block SMB ports from the internet and that Windows 10 users should patch their systems immediately. You can find all the Microsoft’s security patches for SMBGhost in Windows 10 version 1909 and 1903 and Server Core here.
You can also check whether your Windows 10 server, PC/laptop is vulnerable by SMBGhost by visiting this GitHub page by OllyPwn. He has developed the SMBGhost vulnerability checker tool in Python. It checks for SMB dialect 3.1.1 and compression capability through a negotiate request. A network dump of the scanner running against a Windows 2019 Server (10.0.0.133) can be found under SMBGhost.pcap.
You can also disable the Microsoft’s Server Message Block 3.1.1 in your Windows 10 server, PC/laptop completely by following this workaround.