10th March 2020 when the monthly Windows Patch Tuesday security updates were released by Microsoft, they accidently disclosed details about a critical windows 10 vulnerability. It was disclosed before a fix had been made available. The vulnerability named “SMBGhost” was apparently disclosed because a miscommunication in the patching and disclosure process.
A perfect 10
CVE-2020-0796 was thought so dangerous were it to be weaponized that it merited the rarest CVSS rating a «perfect» 10. Microsoft was quick to act and issued an emergency out of band fix within days.
SMBGhost is a fully wormable vulnerability that could enable remote code execution and ultimately control of the targeted system if a successful attack was launched. The vulnerability in Microsoft’s Server Message Block 3.1.1 allows for a maliciously constructed data packet sent to the server to kick off the arbitrary code execution.
What has changed?
According to CISA they are now aware of a publicly available and functional proof-of-concept (PoC) code that exploits CVE-2020-0796 in unpatched systems. Although Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber actors are targeting unpatched systems with the new PoC according to recent open-source reports.
What to do
CISA strongly recommends using a firewall to block SMB ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.
We encourage users and administrators to review the following resources and apply the necessary updates or workarounds.
Microsoft’s security updates addressing SMBGhost in Windows 10 version 1909 and 1903 and Server Core for the same versions : CVE-2020-0796
Microsoft Advisory : ADV200005
CERT Coordination Center’s Vulnerability Note : VU#872016