CISA Warns that Windows SMB 3 Exploit Code Now Published

Functional proof-of-concept code for a Server Message Block (SMB) 3.1.1 vulnerability in newer Windows systems has been published, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned on Friday.

This "Critical"-rated vulnerability (CVE-2020-0796) got addressed via an "out-of-band" patch from Microsoft back in March, and there were no known attacks described at the time. Now, CISA, part of the U.S. Department of Homeland Security, likely is renewing the alert because systems still aren't patched and workable exploit code is now available.

The vulnerability, described in the CVE-2020-0796 bulletin, is sometimes also called "SMBGhost" by researchers. It's present in Windows client and server (server core only) systems at versions 1903 and 1906, but not in older Windows systems.

An exploit could lead to remote code execution attacks on a client or server. A security researcher going by the name of "Chompie" released exploit code that's been tested by CISA security researcher Will Dormann. He found that the code worked some of the time, according to a Bleeping Computer article.

Dormann described the vulnerability in a CERT Note as being related to how SMB 3 handles "connections that use compression," permitting the execution of code on a system by an unauthenticated attacker. He added that "it has been reported that this vulnerability is 'wormable,'" which appears to be what security researchers have been saying. Microsoft, though, hasn't used that word in its announcements.

An infamous wormable SMB 1 exploit affecting Windows XP systems, dubbed "WannaCry," turned out to be a wiper disguised as ransomware. It used leaked U.S. National Security Agency weaponized code that disabled the networks of hospitals, shipping companies, pharmaceutical manufacturers and more worldwide about three years ago.

For those having problems patching, Microsoft's advisory did include a workaround. Organizations can also help ward off exploits by blocking TCP Port 445 at firewall, Microsoft indicated.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus