SMBGhost: Detailed Information and RiskSense System Filter

Additional information regarding the SMBGhost vulnerability and how to use the SMBGhost filter in RiskSense.

On March 11, 2020 Microsoft published ADV200005, a security advisory about a critical vulnerability (CVE-2020-0796, also known as SMBGhost) affecting versions of Windows 10 and Windows Server 2016 released since May 2019. Typically, advisories of this sort are released along with software patches to remediate the vulnerability. In this case, Microsoft did not release the corresponding updates resulting in an "official" zero-day vulnerability.

SMBGhost is a pre-authentication memory corruption issue affecting SMB 3.1.1 servers and clients. If successfully weaponized this vulnerability could be used for anonymous remote takeover of Windows hosts similar to what is achieved by the ETERNALBLUE exploit used by the WannaCry ransomware.

Information about this vulnerability was leaked to the public ahead of that advisory through a Cisco Talos "Patch Tuesday" analysis including information about this vulnerability; Cisco Talos later removed all information about this vulnerability from that analysis. This removal of information prompted the twitter account "@MalwrHunterTeam" to nickname the vulnerability "SMBGhost": "it not exists."

Microsoft released KB4551762 as an out-of-band emergency patch on Thursday, March 12, 2020 to remediate the vulnerability.

RiskSense analysts expect this vulnerability to have less widespread impact than the MS17-010 vulnerabilities associated with the WannaCry malware due to the relatively brief availability of vulnerable versions. Weaponization of the vulnerability may be limited by secondary protection mechanisms such as KASLR used in the affected, modern versions of Windows 10 and Windows Server 2016. Nevertheless, the vulnerability is serious and RiskSense recommends applying the official patches for this vulnerability as soon as possible.

---

By using RiskSense’s SMBGhost system filter, you can narrow down which of your hosts are vulnerable to SMBGhost.

To access this system filter in RiskSense, navigate to either the Network > Hosts or Network > Host Findings page. For this example, we will show you how to apply the SMBGhost system filter to the Network > Hosts page.

Hosts Menu Location

To apply the SMBGhost system filter, click the system filters (System Filter - Small-1) button.

SMBGhost Filter - System Filter Button Location

In the system filters menu, click the SMBGhost filter.

SMBGhost Filter - SMBGhost Filter Location

The Hosts page is now filtered for hosts vulnerable to SMBGhost.