[German]A brief update to the SMBGhost vulnerability CVE-2020-0796 in the SMBv3 protocol in Windows 10 version 190x and Windows Server 2019, although Microsoft has released an update to close the vulnerability. However, this update causes installation errors on some systems. Thousands of systems are still vulnerable to the vulnerability and are now under attack.
Patch for SMBv3 vulnerability CVE-2020-0796
On March 2020 patchday a serious but unpatched vulnerability (CVE-2020-0796) in the Windows SMBv3 protocol became public. This vulnerability could allow worms to spread. I had reported in detail in the blog post Windows SMBv3 0-day vulnerability CVE-2020-0796.
Then, on March 12, 2020, Microsoft released an unscheduled security update KB4551762 for the SMBv3 vulnerability CVE-2020-0796 for the following versions of Windows (see also Windows 10: Patch for SMBv3 Vulnerability CVE-2020-0796):
- Windows Server Version 1903 (Server Core Installation)
- Windows Server Version 1909 (Server Core Installation)
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
Update KB4551762 is causing issues
The problem is that this update causes installation errors for some users. I had pointed out such problems in the blog post Windows 10: KB4551762 causes error 0x800f0988/0x800f0900. Bleeping Computer has collected more errors in this article.
Blog reader EP points out in this comment further issues with printing, caused by the update. At askwoody.com, a user also reports that his HP printers have stopped working since installing the update. There is also this entry in the HP forum, which reports something similar:
HP Envy 7640 do not print after Windows Update KB4551762
On Win 10, HP Envy 7640 do not work since the windows update KB4551762 (no error, the spooler is ok, but the printer do not print).
When i uninstall the KB4551762, it's ok.
So there are users who have problems with the update KB4551762 installation. However, this exposes the system to risks.
48,000 Windows hosts vulnerable via CVE-2020-0796
After an Internet-wide scan, researchers from cyber security firm Kryptos Logic discovered approximately 48,000 Windows 10 hosts vulnerable to attacks targeting the CVE-2020-0796 (Pre-Auth Remote Code Execution) vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3).
We've just finished our first internet wide scan for CVE-2020-0796 and have identified 48000 vulnerable hosts. We'll be loading this data into Telltale for CERTs and organisations to action. We're also working on a blog post with more details (after patch).
— Kryptos Logic (@kryptoslogic) March 12, 2020
Bleeping computer discussed this in this article. In the meantime, the first proof of concept (PoC) examples have also been published that exploit the vulnerability. On GitHub you can find PoC examples as well as scanners that can be used to scan a network for vulnerable computers.
GreyNoise is observing ~300 devices probing the Internet for devices vulnerable to Windows SMB CVE-2020-0796 (SMBGhost). The majority of the probes are originating from a hosting provider in Germany.
— GreyNoise Intelligence (@GreyNoiseIO) March 13, 2020
From the above tweet I gather that about 300 sources are currently scanning the Internet for vulnerable Windows systems with the vulnerability VE-2020-0796 (SMBGhost).
Windows SMBv3 0-day vulnerability CVE-2020-0796
Windows 10: Patch for SMBv3 Vulnerability CVE-2020-0796
Windows 10: KB4551762 causes error 0x800f0988/0x800f0900
A Scanner for Windows SMBv3 Vulnerability CVE-2020-0796
Cookies helps to fund this blog: Cookie settings