SMBGhost Vulnerability (CVE-2020-0796)

OWASP 2017-A9 OWASP 2013-A9 CWE-119 WSTG-INPV-08

The SMBGhost affects the latest version of the Server Message Block (SMB) protocol.

SMB is a Windows service which is used for remote file and printer sharing. This vulnerability is caused by incorrectly handling the data compression in the protocol.

This could allow an attacker to get remote access to the vulnerable system or can crash the server. SMBGhost gets affected on both the SMB server and the SMB client.

So the attacker can either get access to the vulnerable SMB services or cloud setup by their own malicious server and compromise servers connected to it by convincing unsuspecting users to connect.

Affected Operating Systems:

  • windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

Impact

If the attacker can make a successful exploitation, either the server crashes or gets a remote session to the vulnerable machine.

Mitigation Or Precaution

We recommend mitigating SMBGhost by patching all devices as per the Microsoft advisory.

Also, avoid the exposure of the SMB service discovery to the external connection by the firewall policies. There is also a workaround by disabling the SMBv3 compression.

You can disable the SMBv3 compression by the PowerShell command below:

        Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

   

You can disable the workaround by the PowerShell command below.

        Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

   

Latest Articles