SMBGhost: Strange SMB Vulnerability Disclosures and Wannacry 2.0?

A new critical vulnerability affecting Windows systems came to light on Tuesday, affecting SMB services used by the latest versions of Windows 10 and Windows Server 2019. Due to the strange circumstances under which the weakness was disclosed, which we’ll go into below, the security community has dubbed the vulnerability: ‘SMBGhost’.

Unusually, the vulnerability was not included in this week’s Patch Tuesday. The circumstances of the disclosure didn’t exactly follow normal proceedings, and Microsoft only publicly disclosed the vulnerability after two of its partners (Cisco Talos, Fortinet) published information about it. This slip-up gives an intriguing insight into vulnerability discovery and disclosure and does leave one wondering how many Patch Tuesdays it would have been before the wider community was made aware, had this mistake not been made.

To SMB, or not to SMB

The flaw (CVE-2020-0796) affects the latest versions of the Server Message Block (SMB) protocol, which is a Windows service used for remote file and printer sharing. The weakness, which results from the way the protocol incorrectly handles data compression, could allow an attacker to remotely execute code on a vulnerable system, or cause the server to crash. The flaw affects both SMB servers and SMB clients, which means attackers could either attack vulnerable SMB services, or they could set up their own malicious service and try to convince unsuspecting users to connect to it and attempt to compromise their machines.

The most notable and recent example of an SMB vulnerability like this one was ETERNALBLUE (CVE-2017-0144), which led to the 2017 ‘WannaCry’ outbreak. ‘WannaCry’ caused the compromise of over 200,000 systems worldwide, impacted over 150 countries and cost approximately $4 billion in financial losses. These two vulnerabilities are similar, and it’s likely that attackers will attempt to leverage SMBGhost in the same way. The vulnerability is ‘wormable’, meaning malware can be designed to make compromised systems attack other systems in order to spread deeper within networks.

Wannacry 2.0?

So, should we expect an imminent outbreak of malware which is comparable to the WannaCry attacks? The TL;DR on this is: yes, but probably not quite so bad.

Compared with ETERNALBLUE, SMBGhost has far fewer affected SMB services exposed to the internet, compared with vulnerable services at the time of WannaCry. That said, a large number of affected services are still exposed:

Both weaknesses affect a single version of SMB, and in both cases exploitation can be carried out by an unauthenticated attacker. Unlike WannaCry though, SMBGhost can also affect SMB clients, potentially opening up some different and interesting avenues of exploitation. SMBGhost only affects much newer versions of Windows than ETERNALBLUE did, so it might be fair to assume that organisations deploying more recent technologies have a better handle on patching and vulnerability management, but you never know!

There are currently no publicly available exploits for SMBGhost, but it will surely only be a matter of time. The WannaCry attacks were carried out within 60 days of Microsoft’s initial vulnerability disclosure, but the circumstances under which the ETERNALBLUE exploit was released were unusual, because these exploits were in use by the NSA for years before Microsoft even knew about the weakness. However, it wouldn’t be too surprising if a working exploit is developed for SMBGhost to a similar timeline, so it’s certainly time to think about putting mitigations before it’s too late.

What can I do?

Check whether your versions of Windows are vulnerable by taking a look at Microsoft's Security Advisory. A patch has now been released for vulnerable servers, and servers which expose SMB to the internet or within a private network should be looked at as a priority.

It may not be time to give up the ghost on SMB entirely, though this service was never intended to be internet-exposed, and exposing it publicly greatly increases the risk of zero-days like this one cropping up. Services like SMB are best secured by exposing them within a private network and using a VPN where remote access is required. Reducing your attack surface in this way is the best strategy for protecting against zero-day exploitation against a wide range of services, though it’s worth noting that this would not prevent exploitation from within the internal network, and internal services should still be patched.

Intruder’s continuous vulnerability monitoring service includes scanning for services like SMB which should not be exposed to the internet. Our cloud-based scanning platform can be used to check for known vulnerabilities in software on your perimeter and reduce your attack surface to minimise your risk of exposure to zero-day threats like SMBGhost. For a free trial for up to 30 days, click here.