Guardicore Labs Alert: Critical Vulnerabilities in Windows SMB Require Attention

/0 Comments/in /by

SMBGhost (CVE-2020-0796), a critical vulnerability in Windows SMBv.3 protocol, was disclosed and patched by Microsoft three months ago. Nevertheless, Cybersecurity & Infrastructure Security Agency (CISA) recently warned that unpatched systems are being targeted and exploited in the wild. The vulnerability, scored 10.0, allows an unauthenticated attacker to execute code on the remote machine.

In addition, a new vulnerability dubbed SMBleed (CVE-2020-1206) was disclosed and patched this week. This vulnerability allows an attacker to leak sensitive information from the targeted machine’s kernel memory, and “obtain information to further compromise the system”. A POC for this vulnerability is also publicly available.

Who’s vulnerable?

SMBGhostSMBleed
Windows 10 / Windows Server Core installation version 1909Machine with updates prior to KB4551762Machines with updates prior to KB4560960
Windows 10 / Windows Server Core installation version 1903
Windows 10 / Windows Server Core installation  version 2004Not vulnerableMachines with updates prior to KB4557957

SMB is a popular service among threat actors for both initial network breach and lateral movement. In Guardicore’s Cyber Threat Intelligence (CTI), we see hundreds of thousands of scans every week. Once a vulnerable machine is found, a scan is leveraged to a sophisticated attack which often infiltrates data, abuses computing resources and propagates inside the network.

Mitigation

The most effective security measure recommended by both CISA and Microsoft is to block SMB ports from the internet using a firewall. With Guardicore Centra, it is possible to allow only specific source and destination assets (such as the Domain Controller, or certain file servers) to communicate over SMB, while blocking the rest of the traffic. Such a policy – as demonstrated in the image below – ensures that only known and allowed SMB traffic takes place in your network.

In addition, it is highly recommended to apply the relevant security patches provided by Microsoft. If not possible, consider disabling compression in SMBv.3 as described in the Microsoft security advisories.

If you have any questions please feel free to contact us at ebi.iletisim@eczacibasi.com.tr

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.