A Scanner for Windows SMBv3 Vulnerability CVE-2020-0796

Posted on 2020-03-12 by guenni

[German]A short tip note for administrators on enterprise networks who want to verify that Windows servers are vulnerable to the unpatched SMBv3 vulnerability CVE-2020-0796. There is a Pyton script for this purpose.

Advertising

The SMBv3 Vulnerability (CVE-2020-0796)

The Microsoft implementation of the SMBv3 protocol used in Windows contains a vulnerability called EternalDarkness (CVE-2020-0796) that can occur when compression is used. The following versions of Windows are affected: 

  • Windows Server Version 1903 (Server Core Installation)
  • Windows Server Version 1909 (Server Core Installation)
  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems

This affects the implementation of Microsoft Server Message Block 3.1.1 (SMBv3). This vulnerability allows a remote attacker to execute arbitrary code on a vulnerable system without the need to log on. The vulnerability is 'wormable', which means that it allows malware to spread over a network.

I reported this in the blog post Windows SMBv3 0-day vulnerability CVE-2020-0796. The linked article also lists measures to secure the vulnerability. That there is no patch for this bug are these workarounds to disable SMBv3 compression on the side of a Windows server. 

Check whether a server is vulnerable

Administrators may face the question of how to verify that a server is vulnerable to the SMBv3 vulnerability. I noticed this tweet on Twitter yesterday.

Advertising

The security researcher points to this GitHub page, where there is a simple SMBv3 scanner SMBGhost that can be used to check a server for Microsoft's SMB 3.1.1 support. The Pyton script also checks if compression is enabled. This way it can be tested whether the above mentioned workaround actually works until an update is available. Further details can be found in the Readme.

Advertising
This entry was posted in Security, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).