SMBGhost

What's SMBGhost?

SMBGhost is a critical remote code execution vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol, caused by improper handling of compressed data packets. It allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges.

The vulnerability was accidentally leaked in Microsoft's Advance Notification Service for the March 2020 Patch Tuesday updates. Security researchers from Cisco Talos and Fortinet noticed references to an unannounced CVE in the updates, leading to public disclosure.

Key Facts

• CVSS Score: 10.0 (Critical)
• Affected Systems: Windows 10 versions 1903 and 1909, Windows Server versions 1903 and 1909
• Wormable: Can self-propagate across networks similar to WannaCry
• Exploitation: Pre-authentication via specially crafted SMB packets
• Discovery: Identified by reverse engineering the leaked patch information around March 10, 2020.
• Notification: Due to the leak, it became public knowledge before the official patch. Microsoft issued an advisory on March 10, 2020.
• Vendor Patch Timeline: Microsoft released an out-of-band security update (KB4551762) on March 12, 2020, to address the issue.

Timeline of Related Events

• Early 2020 (Exact Date Unknown): Microsoft internally identifies the SMBv3.1.1 vulnerability during development or testing of the March 2020 Patch Tuesday updates. The issue involves improper handling of compressed data packets in the SMBv3 protocol, potentially allowing remote code execution.
• March 10, 2020: The vulnerability is accidentally leaked through Microsoft's Advance Notification Service. Security researchers from Cisco Talos and Fortinet notice references to an unannounced CVE-2020-0796 in the update notes. Microsoft issues an initial advisory (ADV200005) acknowledging the flaw, later dubbed "SMBGhost" by the security community due to its wormable nature.
• March 11, 2020: Public awareness grows as security researchers and blogs begin discussing the leaked details. The critical nature of the vulnerability (CVSS score 10.0) and its potential for wormable exploitation draw comparisons to the 2017 WannaCry attack leveraging EternalBlue.
• March 12, 2020: Microsoft releases an out-of-band security update (KB4551762) to address CVE-2020-0796 for affected systems (Windows 10 versions 1903 and 1909, Windows Server versions 1903 and 1909). The patch disables SMBv3 compression by default and fixes the packet handling issue. Microsoft urges immediate patching due to the risk of rapid exploitation.
• March 13–15, 2020: Security firms, including Trellix, McAfee, and Sophos, publish analyses of SMBGhost, detailing its technical mechanics and exploitation potential. Early proof-of-concept (PoC) code begins circulating in private researcher communities, raising concerns about imminent public exploits.
• March 31, 2020: Public proof-of-concept exploits start appearing on platforms like GitHub, demonstrating denial-of-service (DoS) capabilities but not yet full remote code execution. These PoCs increase urgency for organizations to apply the patch or implement workarounds (disabling SMBv3 compression or blocking port 445).
• April 2020: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issues alerts urging organizations to prioritize patching due to the vulnerability's wormable nature. Reports indicate limited exploitation in the wild, primarily for DoS attacks, as full RCE exploits remain complex to develop.
• June 2020: Researchers publish full remote code execution exploit code, demonstrating the ability to gain SYSTEM-level access on unpatched systems. This escalates the threat, as attackers can now chain SMBGhost with other techniques for lateral movement in networks.
• July–August 2020: Security vendors report increased scanning activity targeting port 445, indicating attackers are probing for unpatched systems. Some ransomware campaigns attempt to leverage SMBGhost, though widespread exploitation is limited compared to WannaCry, likely due to rapid patching and mitigations.
• Late 2020: Microsoft includes the SMBGhost fix in cumulative updates for supported Windows versions, reducing the number of vulnerable systems. However, legacy or unmaintained systems remain at risk, particularly in small-to-medium businesses with lax patch management.

Impact

• Remote Code Execution: Attackers can gain full control over affected systems without authentication.
• Wormable Propagation: Potential to spread rapidly across connected networks, leading to widespread compromise.
• Scope: Affects both SMB servers and clients with compression enabled (default setting), primarily in enterprise environments using file sharing.
• Privilege Escalation: Exploits run with SYSTEM privileges, allowing complete system takeover.
• No User Interaction Required: Fully remote and network-exploitable.

What's SMB

Server Message Block (SMB) is a network communication protocol developed by Microsoft for providing shared access to files, printers, and serial ports between nodes on a network. SMBv3.1.1 introduced features like compression to improve performance, but this introduced the vulnerability in handling compressed data.

Implications

This vulnerability poses significant operational and security risks, especially in unpatched environments. It could lead to data breaches, ransomware attacks, or denial-of-service incidents. In enterprise settings, it threatens entire networks due to its wormable nature, potentially disrupting business operations and compromising sensitive data.

Mitigation

Immediate (0–7 days)

• Disable SMBv3 compression via registry: Set HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters DisableCompression to 1 (requires reboot).
• Block inbound SMB traffic on port 445 using firewalls.
• Isolate vulnerable systems from the network.

Short-Term (1–4 weeks)

• Apply the Microsoft security update KB4551762 to all affected systems.
• Scan networks for vulnerable hosts using tools like Nmap or vulnerability scanners.

Medium-Term (1–3 months)

• Implement network segmentation to limit SMB traffic.
• Monitor for exploitation attempts using IDS/IPS systems.
• Update endpoint protection signatures.

Long-Term (3–6+ months)

• Upgrade to newer Windows versions (Windows 10 2004 or later) that are not affected.
• Adopt zero-trust network models to reduce reliance on SMB.
• Conduct regular vulnerability assessments and patch management audits.

Timeline

Key Takeaways

• Prompt patching is critical for wormable vulnerabilities to prevent rapid spread.
• Workarounds like disabling features can provide temporary protection.
• Network segmentation and monitoring are essential in mitigating remote exploits.
• Historical vulnerabilities like SMBGhost highlight the importance of protocol security in Windows environments.

References

• Microsoft Security Advisory CVE-2020-0796
• NVD — CVE-2020-0796 Detail
• Trellix Research — SMBGhost Analysis
• AttackerKB — CVE-2020-0796 SMBGhost

Identification Tool

Checklist for confirming if a system is affected:

1. Run winver to check Windows version and build number.
2. If version is 1903 (build 18362.xxx) or 1909 (build 18363.xxx) and xxx < 720, the system is potentially vulnerable.
3. Check registry key HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableCompression — if set to 1, compression is disabled (mitigated).
4. Verify if SMBv3 is enabled by checking if port 445 is listening using netstat -an.
5. Use vulnerability scanners like Nessus or OpenVAS to scan for CVE-2020-0796.

PowerShell Check Script

$os = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
$build = $os.CurrentBuildNumber
$ubr = $os.UBR
$vulnerable = $false

if (($build -eq 18362 -and $ubr -lt 720) -or ($build -eq 18363 -and $ubr -lt 720)) {
    $vulnerable = $true
}

$compression = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name DisableCompression -ErrorAction SilentlyContinue

if ($vulnerable) {
    if ($compression -and $compression.DisableCompression -eq 1) {
        Write-Host -ForegroundColor Green "OK - Vulnerability mitigated by disabling compression."
    } else {
        Write-Host -ForegroundColor Red "Update Needed - System is vulnerable to SMBGhost."
    }
} else {
    Write-Host -ForegroundColor Green "OK - System is not affected or already patched."
}