{"id":13751,"date":"2020-03-19T11:30:02","date_gmt":"2020-03-19T10:30:02","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=13751"},"modified":"2022-11-04T11:52:22","modified_gmt":"2022-11-04T10:52:22","slug":"news-about-the-windows-smbv3-vulnerability-smbghost","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/03\/19\/news-about-the-windows-smbv3-vulnerability-smbghost\/","title":{"rendered":"News about the Windows SMBv3 vulnerability SMBGhost"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/win102.jpg\" width=\"58\" align=\"left\" height=\"58\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/03\/19\/aktuelles-zur-windows-smbv3-schwachstelle-smbghost\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]A brief update to the SMBGhost vulnerability CVE-2020-0796 in the SMBv3 protocol in Windows 10 version 190x and Windows Server 2019, although Microsoft has released an update to close the vulnerability. However, this update causes installation errors on some systems. Thousands of systems are still vulnerable to the vulnerability and are now under attack.<\/p>\n<p><!--more--><\/p>\n<h2>Patch for SMBv3 vulnerability CVE-2020-0796<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg02.met.vgwort.de\/na\/edd762d3f2214667b5bfa69b9d9e8cf4\" width=\"1\" height=\"1\">On March 2020 patchday a serious but unpatched vulnerability (<a href=\"https:\/\/kb.cert.org\/vuls\/id\/872016\/\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-0796<\/a>) in the Windows SMBv3 protocol became public. This vulnerability could allow worms to spread. I had reported in detail in the blog post <a href=\"https:\/\/borncity.com\/win\/2020\/03\/11\/windows-smbv3-0-day-vulnerability-cve-2020-0796\/\">Windows SMBv3 0-day vulnerability CVE-2020-0796<\/a>.<\/p>\n<p>Then, on March 12, 2020, Microsoft released an unscheduled security update <a href=\"https:\/\/support.microsoft.com\/help\/4551762\/\" target=\"_blank\" rel=\"noopener noreferrer\">KB4551762<\/a> for the SMBv3 vulnerability CVE-2020-0796 for the following versions of Windows (see also <a href=\"https:\/\/borncity.com\/win\/2020\/03\/12\/windows-10-patch-for-smbv3-vulnerability-cve-2020-0796\/\">Windows 10: Patch for SMBv3 Vulnerability CVE-2020-0796<\/a>):<\/p>\n<ul>\n<li>Windows Server Version 1903 (Server Core Installation)\n<li>Windows Server Version 1909 (Server Core Installation)\n<li>Windows 10 Version 1903 for 32-bit Systems\n<li>Windows 10 Version 1903 for ARM64-based Systems\n<li>Windows 10 Version 1903 for x64-based Systems\n<li>Windows 10 Version 1909 for 32-bit Systems\n<li>Windows 10 Version 1909 for ARM64-based Systems\n<li>Windows 10 Version 1909 for x64-based Systems <\/li>\n<\/ul>\n<h2>Update KB4551762 is causing issues<\/h2>\n<p>The problem is that this update causes installation errors for some users. I had pointed out such problems in the blog post <a href=\"https:\/\/borncity.com\/win\/2020\/03\/13\/windows-10-kb4551762-causes-error-0x800f0988-0x800f0900\/\">Windows 10: KB4551762 causes error 0x800f0988\/0x800f0900<\/a>. Bleeping Computer has collected more errors in <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/windows-10-kb4551762-security-update-fails-to-install-causes-issues\/\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a>. <\/p>\n<p>Blog reader EP points out in <a href=\"https:\/\/borncity.com\/win\/2020\/03\/13\/windows-10-kb4551762-causes-error-0x800f0988-0x800f0900\/#comment-8876\" target=\"_blank\" rel=\"noopener noreferrer\">this comment<\/a> further issues with printing, caused by the update. At askwoody.com, a user also <a href=\"https:\/\/www.askwoody.com\/forums\/topic\/win10-1909-kb4551762\/#post-2208340\" target=\"_blank\" rel=\"noopener noreferrer\">reports<\/a> that his HP printers have stopped working since installing the update. There is also <a href=\"https:\/\/h30434.www3.hp.com\/t5\/Inkjet-Printing\/HP-Envy-7640-do-not-print-after-Windows-Update-KB4551762\/td-p\/7509365\" target=\"_blank\" rel=\"noopener noreferrer\">this entry<\/a> in the HP forum, which reports something similar:<\/p>\n<blockquote>\n<p>HP Envy 7640 do not print after Windows Update KB4551762<\/p>\n<p>On Win 10, HP Envy 7640 do not work since the windows update KB4551762 (no error, the spooler is ok, but the printer do not print).  <\/p>\n<p>When i uninstall the KB4551762, it's ok.<\/p>\n<\/blockquote>\n<p>So there are users who have problems with the update KB4551762 installation. However, this exposes the system to risks. <\/p>\n<h2>48,000 Windows hosts vulnerable via CVE-2020-0796<\/h2>\n<p>After an Internet-wide scan, researchers from cyber security firm Kryptos Logic discovered approximately 48,000 Windows 10 hosts vulnerable to attacks targeting the CVE-2020-0796 (Pre-Auth Remote Code Execution) vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3). <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">We've just finished our first internet wide scan for CVE-2020-0796 and have identified 48000 vulnerable hosts. We'll be loading this data into Telltale for CERTs and organisations to action. We're also working on a blog post with more details (after patch).<\/p>\n<p>\u2014 Kryptos Logic (@kryptoslogic) <a href=\"https:\/\/twitter.com\/kryptoslogic\/status\/1238069159919063050?ref_src=twsrc%5Etfw\">March 12, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserve0a17aba51bad414b8801baa97a9fe179\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>Bleeping computer discussed this in <a href=\"https:\/\/web.archive.org\/web\/20220507024135\/https:\/\/www.bleepingcomputer.com\/news\/security\/48k-windows-hosts-vulnerable-to-smbghost-cve-2020-0796-rce-attacks\/\" target=\"_blank\" rel=\"noopener noreferrer\">this article<\/a>. In the meantime, the first proof of concept (PoC) examples have also been published that exploit the vulnerability. On <a href=\"https:\/\/github.com\/search?q=CVE-2020-0796\" target=\"_blank\" rel=\"noopener noreferrer\">GitHub<\/a> you can find PoC examples as well as scanners that can be used to scan a network for vulnerable computers. <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">GreyNoise is observing ~300 devices probing the Internet for devices vulnerable to Windows SMB CVE-2020-0796 (SMBGhost). The majority of the probes are originating from a hosting provider in Germany.<\/p>\n<p>Tags are available to all users now. <a href=\"https:\/\/t.co\/bjKozZVK8b\">https:\/\/t.co\/bjKozZVK8b<\/a> <a href=\"https:\/\/t.co\/DqzsajpqON\">pic.twitter.com\/DqzsajpqON<\/a><\/p>\n<p>\u2014 GreyNoise Intelligence (@GreyNoiseIO) <a href=\"https:\/\/twitter.com\/GreyNoiseIO\/status\/1238499351778988032?ref_src=twsrc%5Etfw\">March 13, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserve0e86d49ebb864462972083f0276419b7\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>From the above tweet I gather that about 300 sources are currently scanning the Internet for vulnerable Windows systems with the vulnerability VE-2020-0796 (SMBGhost). <\/p>\n<p><strong>Similar articles:<\/strong><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/03\/11\/windows-smbv3-0-day-vulnerability-cve-2020-0796\/\">Windows SMBv3 0-day vulnerability CVE-2020-0796<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/03\/12\/windows-10-patch-for-smbv3-vulnerability-cve-2020-0796\/\">Windows 10: Patch for SMBv3 Vulnerability CVE-2020-0796<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/03\/13\/windows-10-kb4551762-causes-error-0x800f0988-0x800f0900\/\">Windows 10: KB4551762 causes error 0x800f0988\/0x800f0900<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/03\/12\/a-scanner-for-windows-smbv3-vulnerability-cve-2020-0796\/\">A Scanner for Windows SMBv3 Vulnerability CVE-2020-0796<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A brief update to the SMBGhost vulnerability CVE-2020-0796 in the SMBv3 protocol in Windows 10 version 190x and Windows Server 2019, although Microsoft has released an update to close the vulnerability. However, this update causes installation errors on some systems. &hellip; <a href=\"https:\/\/borncity.com\/win\/2020\/03\/19\/news-about-the-windows-smbv3-vulnerability-smbghost\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[2326,1309,69,2324,195,194],"class_list":["post-13751","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-kb4551762","tag-network","tag-security","tag-smbv3","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13751","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=13751"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13751\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=13751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=13751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=13751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}