The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security has warned Windows users that a recently released proof-of – concept (PoC) exploit for the vulnerability tracked as SMBGhost was misused to launch attacks.
SMBGhost, also known as CoronaBlue and reported as CVE-2020-0796, is a vulnerability associated with Server Message Block 3.0 (SMBv3), specifically related to how SMB 3.1.1 handles some queries. The vulnerability affects Windows 10 and Windows Server and can be used for denial-of – service (DoS ) attacks, escalation of local privileges and arbitrary execution of code.
Attacks on SMB servers allow the attacker to send malicious packets to the targeted network. The hacker will, in the case of clients, persuade the user to connect to a malicious SMB server.
Microsoft warned when it disclosed the vulnerability that it is wormable, which makes it particularly dangerous. In March the firm released patches and workarounds.
Shortly after its release, researchers started releasing PoC exploits for CVE-2020-0796, but the exploits only achieved DoS, or privilege escalation. Some companies and researchers reported they had developed exploits that managed to execute remote code, but none of them were made public.
However, a researcher who uses the online alias Chompie published an SMBGhost exploit last week to execute remote code. The researcher released it for “educational purposes,” claiming that in the coming days the cybersecurity company ZecOps was about to update its PoC and the patch was usable for months.
Chompie said the PoC wasn’t reliable and would often cause the system to crash, but several experts have confirmed that the execution of remote code is working.
It seems that ALOT of people are interested in the #SMBGhost CVE-2020-0796 RCE PoC source. Since @ZecOps will be releasing theirs in the coming days, and the bug has been patched for months, I think its OK to release for educational purposes. Find it here:https://t.co/6rA7yPCkeA https://t.co/NVkyKu6UMf
— chompie (@chompie1337) June 2, 2020
On Friday, CISA advised users and administrators to install SMBGhost patches and block SMB ports using a firewall, and warned the vulnerability was exploited in the wild.
“While Microsoft disclosed and issued updates for this vulnerability in March 2020, according to recent open-source reports, malicious cyber actors target unpatched systems with the latest PoC,” CISA said.
Researchers previously warned that SMBGhost had been exploited by various pieces of malware to escalate privileges and spread locally, but now it appears the vulnerability is also being exploited for remote code execution. No specifics appear to be available about what exactly the attackers are doing.
The malware research group MalwareMustDie reported that the latest attacks also leveraged an open source tool that helps users identify SMBGhost affected servers.