SMBGhost (security vulnerability)
SMBGhost (or SMBleedingGhost or CoronaBlue) is a type of security vulnerability, with wormlike features, that affects Windows 10 computers and was first reported publicly on 10 March 2020.[1][2][3][4][5][6][7][8] A Proof-of-Concept (PoC) exploit code was published 1 June 2020 on Github by a security researcher.[7][9] The code could possibly spread to millions of unpatched computers, resulting in as much as tens of billions of dollars in losses.[3]
CVE identifier(s) | CVE-2020-0796[1] |
---|---|
Date discovered | 4 November 2019[1] (note: date cve "assigned") |
Date patched | 10 March 2020[1][2][3] |
Discoverer | Malware Hunter Team[1] |
Affected hardware | Windows 10 version 1903 and 1909, and Server Core installations of Windows Server, versions 1903 and 1909[4] |
Microsoft recommends all users of Windows 10 versions 1903 and 1909 and Windows Server versions 1903 and 1909 to install patches, and states, "We recommend customers install updates as soon as possible as publicly disclosed vulnerabilities have the potential to be leveraged by bad actors ... An update for this vulnerability was released in March [2020], and customers who have installed the updates, or have automatic updates enabled, are already protected."[3] Workarounds, according to Microsoft, such as disabling SMB compression and blocking port 445, may help but may not be sufficient.[3]
According to the advisory division of Homeland Security, "Malicious cyber actors are targeting unpatched systems with the new [threat], ... [and] strongly recommends using a firewall to block server message block ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible."[3]
References
- Hammond, Jordan (11 March 2020). "CVE-2020-0796: Understanding the SMBGhost Vulnerability". PDQ.com. Retrieved 12 June 2020.
- Seals, Tara (8 June 2020). "SMBGhost RCE Exploit Threatens Corporate Networks". ThreatPost.com. Retrieved 10 June 2020.
- Grad, Peter (9 June 2020). "Homeland Security warns of Windows worm". TechXplore.com. Retrieved 10 June 2020.
- Gatlan, Sergiu (20 April 2020). "Windows 10 SMBGhost RCE exploit demoed by researchers". Bleeping Computer. Retrieved 12 June 2020.
- Staff (13 March 2020). "CVE-2020-0796 - Windows SMBv3 Client/Server Remote Code Execution Vulnerability". Microsoft. Retrieved 12 June 2020.
- Staff (15 March 2020). "CoronaBlue / SMBGhost Microsoft Windows 10 SMB 3.1.1 Proof Of Concept". Packet Storm. Retrieved 10 June 2020.
- Chompie1337 (8 June 2020). "SMBGhost RCE PoC". GitHub. Retrieved 10 June 2020.
- Murphy, David (10 June 2020). "Update Windows 10 Now to Block 'SMBGhost'". LifeHacker.com. Retrieved 10 June 2020.
- Ilascu, Ionut (5 June 2020). "Windows 10 SMBGhost bug gets public proof-of-concept RCE exploit". Bleeping Computer. Retrieved 17 June 2020.
External links
- Video (02:40) – SMBGhost patching (CVE-2020-0796) on YouTube (12 March 2020)
- Video (02:40) – SMBGhost check (CVE-2020-0796) on YouTube (12 March 2020)
- Video (04:22) – SMBGhost vulnerability (CVE-2020-0796) on YouTube (13 March 2020)
- Video (11:10) – SMBGhost scan/exploit (CVE-2020-0796) on YouTube (13 March 2020)
- Video (07:27) – SMBGhost explained (CVE-2020-0796) on YouTube (04 April 2020)
- Video (00:50) – SMBGhost crashes W10 (CVE-2020-0796) on YouTube (10 June 2020)