[German]Users of Windows 10 systems should patch them, as a new proof of concept (PoC) for the SMBGhost vulnerability has become public. Here are a few details about that.
SMBGhost Vulnerability CVE-2020-0796
There is a serious but patched vulnerability in the SMBv3 network protocol in Windows. This could allow the spread of worms, but is not currently exploited. Microsoft provided the information in a security advisory ADV200005 (see also my blog post Windows SMBv3 0-day-Schwachstelle CVE-2020-0796). Microsoft has released on March 12, 2020 an out-of-band security update KB4551762 for the SMBv3 vulnerability CVE-2020-0796 in Windows 10 and Windows Server (see my blog post Windows 10: Patch for SMBv3 Vulnerability CVE-2020-0796).
The problem is that this update causes installation errors for some users. I had pointed out such problems in the blog post Windows 10: KB4551762 causes error 0x800f0988/0x800f0900. Bleeping Computer has collected more errors in this article (see also my blog post News about the Windows SMBv3 vulnerability SMBGhost).
Proof of concept, patching required
Those who have not yet closed the SMBGhost vulnerability CVE-2020-0796 on affected machines with an update should definitely react now. Because it is a matter of time that the (numerous) unpatched machines will be attacked by cyber criminals via this vulnerability.
— BleepingComputer (@BleepinComputer) June 5, 2020
From the above tweet from Bleeping Computer and the related article I gather that there have been attempts (1, 2) in the past to exploit the vulnerability for Trojans. However, a security researcher has now published a proof of concept SMBGhost_RCE_PoC on GitHub that can be used to exploit the vulnerability. The exploit is based on a physical read primitive, the security researcher told BleepingComputer. The PoC code was used to demonstrate this interesting primitive. BlueScreens (BSOD) are usually available – but the researcher says this primitive may make it easier to exploit future memory corruption errors in SMEs. At the moment an information leak is needed for remote exploitation. However, the primitive would allow a less complicated method. Security researcher Will Dormann has tested the PoC and received different results – it is considered not yet a fool proof approach.
But there are indications from other security researchers that the PoC works with modifications. Between the lines of the Bleeping Computer article I also read that corresponding information should be published in the next days. The whole thing is therefore a reminder that administrators should take care of a patch (if not already done) – or alternatively disable SMBv3 compression. For more details, please see the related article from Bleeping Computer.