SMBv3.11 Vulnerability

Recently, there is a vulnerability related to SMBv3.1 (CVE-2020-0796) that been released without any patch during that time. SMB which also known as Server Message Block Protocol is a network service that used for file sharing protocol that been installed on Microsoft Windows.

Microsoft’s Security Advisory have explained such as follows:

An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client, to exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.

For those are want to know which SMB version that system or application uses, they can use nmap script in this activity.

Below are the affected version of Windows that immediately need to update their security:

Source: CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability

The script can be identified here would be smb-protocol that been found in /usr/share/nmap/script if using Kali Linux Operating System like the screenshot below

To use the script above in information gathering process, can run the script by typing the command nmap –script smb-protocols -p 445 <ip address>

Another way to verify that your SMBv3 is been vulnerable to the exploit is by using SMBGhost

The above screenshot is the way of installation SMBGhost into your machine by using the command

git clone https://github.com/ollypwn/SMBGhost.git

To run the SMBGhost scanner, the user will need to execute the command that show in the screenshot. It will take some times to get the result of the scanner and it will show either “Vulnerable” or “Not Vulnerable” depending on the machine.

Last Thursday, Microsoft has released a guideline on how to prevent this vulnerability from getting worse. While waiting for the patch update on the vulnerability, there is a workaround for this vulnerability which is disabling SMBv3 service on the Windows Operating System.

To disable SMBv3, the administrator need to execute the command below either in the command prompt or manually change within Windows Registry.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Source: CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability, CVE-2020-0796, SMBGhost Github, Guideline

Author: Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *