News

Windows SMB 3 Proof-of-Concept Exploit Code Released

• By Kurt Mackie
• 06/08/2020

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday warned that functional proof-of-concept code for a Server Message Block (SMB) 3.1.1 vulnerability in newer Windows systems has been published.

This "Critical"-rated vulnerability (CVE-2020-0796) got addressed via an "out-of-band" patch from Microsoft back in March, and there were no known attacks described at the time. Now, CISA, part of the U.S. Department of Homeland Security, likely is renewing the alert because systems still aren't patched and workable exploit code is now available.

The vulnerability, described in the CVE-2020-0796 bulletin, is sometimes also called "SMBGhost" by researchers. It's present in Windows client and server (server core only) systems at versions 1903 and 1906, but not in older Windows systems.

An exploit could lead to remote code execution attacks on a client or server. A security researcher going by the name of "Chompie" released exploit code that's been tested by CISA security researcher Will Dormann. He found that the code worked some of the time, according to a Bleeping Computer article.

Dormann described the vulnerability in a CERT Note as being related to how SMB 3 handles "connections that use compression," permitting the execution of code on a system by an unauthenticated attacker. He added that "it has been reported that this vulnerability is 'wormable,'" which appears to be what security researchers have been saying. Microsoft, though, hasn't used that word in its announcements.

An infamous wormable SMB 1 exploit affecting Windows XP systems, dubbed "WannaCry," turned out to be a wiper disguised as ransomware. It used leaked U.S. National Security Agency weaponized code that disabled the networks of hospitals, shipping companies, pharmaceutical manufacturers and more worldwide about three years ago.

For those having problems patching, Microsoft's advisory did include a workaround. Organizations can also help ward off exploits by blocking TCP Port 445 at firewall, Microsoft indicated.