Skip to content

CVE-2020-0796: Understanding the SMBGhost vulnerability

Jordan Hammond fun headshot
Jordan Hammond|Updated May 10, 2021
cve-2020-0796 understanding the smbghost vulnerability
cve-2020-0796 understanding the smbghost vulnerability

Patch Tuesday has come and gone. We saw 115 vulnerabilities get patched, but unfortunately, we saw 116 vulnerabilities mentioned. The CVE that snuck its way in is CVE-2020-0796, and is considered to be a critical issue for windows 10 machines, with no patch available as of this writing. The vulnerability is a remote execution vulnerability with SMBv3. Lot’s of names bouncing around for this one, I will back MalwareHunterTeam, who broke this news and use the name SMBGhost.

How Does SMBGhost Work?

An attacker could gain the ability to execute code on a target SMB server or client. The Microsoft advisory says, “To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.

To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.” This means if the attacker can reach the SMBv3 server they can execute the code, but SMB client requires them to connect to a malicious SMBv3 Server, so properly training the employees on recognizing common social hacking can help mitigate it a little bit.

What Can We Do About It

The Microsoft advisory does mention a few options as a workaround. Blocking TCP port 445 on your perimeter firewall will protect you from external attacks, but you are still vulnerable internally.

We have seen a few places mention that disabling TCP port 445 on the client will help protect your environment. This is basically shutting off SMB for your network. Windows domains rely on SMB for many purposes. This would kill almost anything that relies on Windows networking. Things like printing, file shares, Active Directory, and Group Policy.

You can also disable SMBv3 compression, and this will protect your server against the vulnerability, but does not prevent the exploit against the clients. There is a potential downside with turning off the compression. Turning off that compression is going to make your network VERY chatty, and may lead to some network slowness.

Ultimately it is up to you to decide what will be more disruptive to your environment. If you would like to disable the compression, you only need to run a PowerShell 1-liner on your SMBv3 server (see Set-ItemProperty)

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Conclusion

Microsoft has yet to have a comment about this, but I think it is a safe bet to assume there will be an out of band update coming for Windows 10 that will close this up. If you do decide to turn off your compression, please make sure to turn it back on once the patch is released.

Jordan Hammond fun headshot
Jordan Hammond

Jordan had spent his life wondering why tasks he didn’t like to do had no options to complete themselves. Eventually he had to make that happen on his own. It turned out that he enjoyed making tasks complete themselves, and PDQ thought that is something he should talk about on the internet.

Related articles