News

Experts demonstrate exploit for SMBGhost RCE vulnerability

In March 2020, was published information about the problem CVE-2020-0796, which is also called SMBGhost. It affects SMBv3, and almost all Windows systems were vulnerable to the bug. Now experts have demonstrated an exploit for SMBGhost RCE vulnerability.

Let me remind you that the SMB protocol a few years ago helped the distribution of WannaCry and NotPetya around the world.

According to Fortinet, the vulnerability is a buffer overflow on Microsoft SMB servers.

“The problem manifests itself when the vulnerable software processes a malicious packet of compressed data. A remote and unauthenticated attacker can use this to execute arbitrary code in the application context”, – said Fortinet researchers.

Cisco Talos experts warned that “exploiting the vulnerability opens systems for attacks with worm potential.”

Although emergency patches for CVE-2020-0796 were released back in March of this year, researchers are still concerned about this problem.

“The fact is that not everyone took care of installing patches in a timely manner, as usual, and more recently, you can find about 48,000 hosts with open SMB ports on the Internet that are vulnerable to potential attacks with a new bug”, – said Kryptos Logic experts.

Even worse, in early April, were already published the first PoC exploits for SMBGhost, which help to achieve denial of service (DoS) and local privilege escalation. PoC for remote code execution was not published because of its danger.

Now, an RCE exploit for vulnerability was developed and introduced by an expert from Ricerca Security. The researcher not only demonstrated the work of a potentially dangerous exploit on video and shared it with the Bleeping Computer magazine, but also published its detailed description.

So far, Ricerca Security has not published the source of the exploit in the public domain, as experts are afraid to put such a dangerous tool in the hands of criminals. As a result, now PoC is available exclusively for the company’s customers, but it is unlikely to last for a long time.

Users again are urged to install updates fixing the CVE-2020-0796 problem as soon as possible, and if this is impossible for some reason, you need to disable SMBv3 compression and also block TCP port 445, according to Microsoft recommendations.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
James Brown

Technology news writer and part-time security researcher. Author of how-to articles related to Windows computer issue solving.

Recent Posts

Remove Kurlibat.xyz pop-up ads (Virus Removal Guide)

Kurlibat.xyz is a site that tries to trick you into clik to its browser notifications…

22 hours ago

Remove Initiateintenselyrenewedthe-file.top pop-up ads (Virus Removal Guide)

Initiateintenselyrenewedthe-file.top is a domain that tries to trick you into clik to its browser notifications…

22 hours ago

Remove Wotigorn.xyz pop-up ads (Virus Removal Guide)

Wotigorn.xyz is a site that tries to force you into subscribing to its browser notifications…

22 hours ago

Remove Initiateintenselyprogressivethe-file.top pop-up ads (Virus Removal Guide)

Initiateintenselyprogressivethe-file.top is a domain that tries to force you into clik to its browser notifications…

22 hours ago

Remove Nuesobatoxylors.co.in pop-up ads (Virus Removal Guide)

Nuesobatoxylors.co.in is a domain that tries to trick you into subscribing to its browser notifications…

1 day ago

Remove Helistym.xyz pop-up ads (Virus Removal Guide)

Helistym.xyz is a site that tries to force you into clik to its browser notifications…

1 day ago