Microsoft’s SMB Protocol is notoriously famous for security flaws. SMB Protocol is a network communication protocol and is widely used by various corporates around the globe. EternalBlue was the infamous vulnerability present in SMB. But now, a new flaw was discovered in the latest version of SMB (v3.1.1). This vulnerability, termed as SMBGhost, is classified as CVE-2020-0796 and has a CVSS score of perfect 10 and declared as Critical[4]. SMBGhost is based on the integer overflow vulnerability[3].
Insights
SMBGhost affects systems which are running Windows 10 version 1903 and 1909 and Windows Server version 1903 and 1909[1]. Basically, an unauthenticated attacker can send a maliciously crafted request to the vulnerable SMB server and can execute remote code on the target server[2]. In the case of a client machine, the attacker has to play the role of a server[2]. Basically, the attacker has to configure a vulnerable SMB server and trap the user to connect to his server. As of now, there have been no signs of public exploits. But, researchers at Ricerca Security have developed a PoC video exploiting the critical SMBGhost Remote Code Execution. The researchers have provided the complete source code to its customers who have subscribed to their premium services[3]. Another PoC video exploiting the SMBGhost DoS was released by security researcher Marcus Hutchins at Kryptos Logic. According to the Internet wide scan performed by Kryptos Logic, 48000 Windows 10 hosts are vulnerable to SMBGhost[1]. The CVE-2020-0796 is a serious flaw and Microsoft urges their clients to patch their machines against SMBGhost.
Conclusion
Microsoft has addressed this critical flaw by releasing a security advisory in which Microsoft has mentioned various strategies to overcome this flaw. The critical security flaw in the SMB Protocol clearly violates the CIA Triad. Confidentiality is compromised as user data can be leaked by exploiting this vulnerability. Integrity is compromised as the attacker can perform remote code execution on the vulnerable systems. Availability is compromised as the attacker can perform Denial of service attacks on the target systems.
References