SMBGhost (CVE-2020-0796), a critical vulnerability in Windows SMBv.3 protocol, was disclosed and patched by Microsoft three months ago. Nevertheless, Cybersecurity & Infrastructure Security Agency (CISA) recently warned that unpatched systems are being targeted and exploited in the wild. The vulnerability, scored 10.0, allows an unauthenticated attacker to execute code on the remote machine.
In addition, a new vulnerability dubbed SMBleed (CVE-2020-1206) was disclosed and patched this week. This vulnerability allows an attacker to leak sensitive information from the targeted machine’s kernel memory, and “obtain information to further compromise the system”. A POC for this vulnerability is also publicly available.
|Windows 10 / Windows Server Core installation version 1909||Machine with updates prior to KB4551762||Machines with updates prior to KB4560960|
|Windows 10 / Windows Server Core installation version 1903|
|Windows 10 / Windows Server Core installation version 2004||Not vulnerable||Machines with updates prior to KB4557957|
SMB is a popular service among threat actors for both initial network breach and lateral movement. In Guardicore’s Cyber Threat Intelligence (CTI), we see hundreds of thousands of scans every week. Once a vulnerable machine is found, a scan is leveraged to a sophisticated attack which often infiltrates data, abuses computing resources and propagates inside the network.
The most effective security measure recommended by both CISA and Microsoft is to block SMB ports from the internet using a firewall. With Guardicore Centra, it is possible to allow only specific source and destination assets (such as the Domain Controller, or certain file servers) to communicate over SMB, while blocking the rest of the traffic. Such a policy – as demonstrated in the image below – ensures that only known and allowed SMB traffic takes place in your network.
In addition, it is highly recommended to apply the relevant security patches provided by Microsoft. If not possible, consider disabling compression in SMBv.3 as described in the Microsoft security advisories.
If you have any questions please feel free to contact us at firstname.lastname@example.org