SMBGhost
What Happened?
This week, Microsoft accidentally published information around a newly identified vulnerability in SMBv3, which is being dubbed SMBGhost. This vulnerability can lead to remote code execution on the server, which is always a major concern as far as the severity of vulnerabilities go. The version affected specifically is 3.1.1, which is a more recent version. They mention that this can be exploited from an unauthenticated attacker who sends a specially crafted packet to a target the SMBv3 Server. This is extremely similar to the SMBv1 vulnerability that I recently covered. The scary part about this vulnerability is that it has been deemed ‘wormable’ which means if someone were to exploit one of your machines, it can potentially spread from machine to machine throughout your environment.
What’s Affected
It’s been identified that all Windows 10 and Windows Server running version 1903 and 1909 are affected by this. Fortunately, there some potential mitigations and workarounds that you can take to avoid this issue, and as of 3/12/2020, Microsoft actually released a patch that addresses this vulnerability.
Prevention and Mitigation of SMBv3
Obviously, the first thing that you’ll want to do if you’re able, is to apply the patch mentioned above. Keeping your security patches up to date is the most effective way to mitigate identified vulnerabilities that have known solutions. If for whatever reason, you’re not able to apply the patch in the short term, Microsoft has identified a workaround to prevent this from being exploited. The issue lies in SMB compression, so disabling this feature of SMB will protect you from an attacker attempting to exploit it.
{code} Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" DisableCompression -Type DWORD -Value 1 -Force{code}The above PowerShell code to update your registry will disable the compression feature on SMB Servers. This will not protect your SMB clients, the code needed to update your clients is below:
{code} Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" DisableCompression -Type DWORD -Value 0 -Force{code}Fortunately, neither of these updates to the registry requires a reboot to take effect. One question you may have, is what impact will disabling SMB compression have? Well, funny enough, Microsoft mentions in their advisory that SMB compression isn’t even used in Windows or Windows Server yet. It will have no negative performance impact.
Kevin Joyce is a Senior Technical Product Manager at Stealthbits – now part of Netwrix. He is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Kevin is passionate about cyber-security and holds a Bachelor of Science degree in Digital Forensics from Bloomsburg University of Pennsylvania.
Related Posts
- What Comes After the FireEye Attack
- Giving Back while Safeguarding Schools in the Age of COVID-19
- Malware’s Growth During the COVID-19 Pandemic
- PostgreSQL Server Security Primer
- Top Data Breaches of 2020
- What is Privacy by Design?
- Data Privacy Essentials: #1 – Don’t Put Your Data at Risk. #2 – Don’t Forget #1
- Data Privacy and Security are Two Sides of the Same Coin
- Easily Prevent More Breaches by Simply Preventing Bad Passwords
- Back to “The Basics” Blog Series
Leave a Reply