- Joined
- Dec 3, 2020
- Messages
- 1,293
Various malware operators used SMBGhost to remotely execute code.
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned Windows users that the recently published PoC exploit for the worm-like vulnerability in Windows 10 ( CVE-2020-0796 ) is being used to carry out attacks.
SMBGhost, also known as CoronaBlue, is a vulnerability that affects the Microsoft Server Message Block 3.1.1 (SMBv3) version of the network data transfer protocol. The vulnerability affects Windows 10 and Windows Server and can be used for DoS attacks, increasing local privileges and executing arbitrary code on the system.
To carry out attacks on SMB servers, an attacker needs to send malicious packets to the target system. The culprit must also trick the victim into connecting to a malicious SMB server.
Microsoft announced the vulnerability, and then released patches and preventive measures to exploit the vulnerability in March this year. Researchers began publishing PoC exploits for the vulnerability shortly after it was discovered, but they focused only on DoS attacks or privilege escalation. Several companies and researchers claimed to have developed PoC codes to exploit vulnerabilities that could allow remote code execution, but not one was made public.
However, last week a researcher using the pseudonym Chompie publishedPoC exploit for SMBGhost, allowing remote code execution. According to Chompie, it is not 100% reliable and can lead to a malfunction of the system, however, several experts who tested the exploit confirmed that remote code execution can be performed.
CISA recommended that users and administrators install patches for SMBGhost and block SMB ports using a firewall and warned that the vulnerability was being exploited by criminals.
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned Windows users that the recently published PoC exploit for the worm-like vulnerability in Windows 10 ( CVE-2020-0796 ) is being used to carry out attacks.
SMBGhost, also known as CoronaBlue, is a vulnerability that affects the Microsoft Server Message Block 3.1.1 (SMBv3) version of the network data transfer protocol. The vulnerability affects Windows 10 and Windows Server and can be used for DoS attacks, increasing local privileges and executing arbitrary code on the system.
To carry out attacks on SMB servers, an attacker needs to send malicious packets to the target system. The culprit must also trick the victim into connecting to a malicious SMB server.
Microsoft announced the vulnerability, and then released patches and preventive measures to exploit the vulnerability in March this year. Researchers began publishing PoC exploits for the vulnerability shortly after it was discovered, but they focused only on DoS attacks or privilege escalation. Several companies and researchers claimed to have developed PoC codes to exploit vulnerabilities that could allow remote code execution, but not one was made public.
However, last week a researcher using the pseudonym Chompie publishedPoC exploit for SMBGhost, allowing remote code execution. According to Chompie, it is not 100% reliable and can lead to a malfunction of the system, however, several experts who tested the exploit confirmed that remote code execution can be performed.
CISA recommended that users and administrators install patches for SMBGhost and block SMB ports using a firewall and warned that the vulnerability was being exploited by criminals.
