SMBGhost Rce Vulnerability Scanner (CVE-2020-0796) Detail
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code or cause denial of service on the target server or client.
What is SMBGhost Remote Code Execution Vulnerability?
In March 2020, Microsoft has released CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.
According to security researchers, the vulnerability occurs “SmbCompressDecompress” function. This function is used by the SMBv3 client and server implementation. This is making them vulnerable.
You can check your client or server affected this vulnerability from the list below:
- Windows 10 Version 1903 for 32-bit Systems
- Windows 10 Version 1903 for ARM64-based Systems
- Windows 10 Version 1903 for x64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
How To Check SMBGhost Remote Code Execution Vulnerability?
You can check the SMBGhost Remote Code Execution vulnerability with our free and online SMBGhost Rce Vulnerability Scanner (CVE-2020-0796) tool. To do this, you can start by typing your domain name or IP address in the form on top of the page and start scanning.
Also, you can use this PoC code to check the vulnerability.
Some Advice for Common Problems
Apply security update released by Microsoft. You can install this security update from here.
- For SMB servers, you can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
For SMB clients, block TCP port 445 at the enterprise perimeter firewall.