The March "Tuesday of updates" did not include a patch for the vulnerability CVE-2020-0796, information about which was mistakenly published by experts from Cisco Talos and Fortinet in the public domain.
The CVE-2020-0796 problem, also called SMBGhost, affects SMBv3, and Windows 10 1903, Windows 10 1909, Windows Server 1903, and Windows Server 1909 are vulnerable to the bug. I recall that SMB protocol helped spread WannaCry and NotPetya several years ago Worldwide. Last month, Kryptos Logic experts calculated that you can find on the Internet about 48,000 hosts with an open SMB port, which is vulnerable to potential attacks with a new bug.
According to Fortinet, the vulnerability is a buffer overflow on Microsoft SMB servers. The problem manifests itself when the vulnerable software processes a malicious compressed data packet. A remote and unauthenticated attacker can use this to execute arbitrary code in the application context. A similar description of the problem was published and then removed from the Cisco Talos blog. The company claimed that “exploiting the vulnerability opens up systems for attacks with worm potential,” meaning the problem could easily spread from victim to victim.
Due to a leak in mid-March, Microsoft engineers were forced to urgently prepare an extraordinary patch for this vulnerability. The fix is available as KB4551762 for Windows 10, versions 1903 and 1909, as well as Windows Server 2019 versions 1903 and 1909.
Researchers have now created and published tools that can be used to find vulnerable servers, and have also released PoC exploits that help achieve denial of service (DoS).
While PoC for remote code execution has not yet been published due to its danger, ZecOps experts developed and released PoC which demonstrates how SMBGhost can be used to elevate privileges to the SYSTEM level. ZecOps researchers also posted a blog post with technical details attacks on local privilege escalation.
One more similar exploit independent experts Daniel García Gutierrez and Manuel Blanco Parachon presented for SMBGhost.
Experts remind users of the need for timely installation of updates, since the appearance of an RCE-exploit in the public domain is definitely not far off.