CISA Warns that Windows SMB 3 Exploit Code Now Published

Functional proof-of-concept code for a Server Message Block (SMB) 3.1.1 vulnerability in newer Windows systems has been published, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on Friday.

This "Critical"-rated vulnerability (CVE-2020-0796) got addressed via an "out-of-band" patch from Microsoft back in March, and there were no known attacks described at the time. Now, CISA, part of the U.S. Department of Homeland Security, likely is renewing the alert because systems still aren't patched and workable exploit code is now available.

The vulnerability, described in the CVE-2020-0796 bulletin, is sometimes also called "SMBGhost" by researchers. It's present in Windows client and server (server core only) systems at versions 1903 and 1906, but not in older Windows systems.

An exploit could lead to remote code execution attacks on a client or server. A security researcher going by the name of "Chompie" released exploit code that's been tested by CISA security researcher Will Dormann. He found that the code worked some of the time, according to a Bleeping Computer article.

Dormann described the vulnerability in a CERT Note as being related to how SMB 3 handles "connections that use compression," permitting the execution of code on a system by an unauthenticated attacker. He added that "it has been reported that this vulnerability is 'wormable,'" which appears to be what security researchers have been saying. Microsoft, though, hasn't used that word in its announcements.

An infamous wormable SMB 1 exploit affecting Windows XP systems, dubbed "WannaCry," turned out to be a wiper disguised as ransomware. It used leaked U.S. National Security Agency weaponized code that disabled the networks of hospitals, shipping companies, pharmaceutical manufacturers and more worldwide about three years ago.

For those having problems patching, Microsoft's advisory did include a workaround. Organizations can also help ward off exploits by blocking TCP Port 445 at firewall, Microsoft indicated.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.