Get notifications!

The Windows 10 'SMBGhost' Vulnerability: What to Know & What to Do

On Wednesday March 11th, reports began to emerge about a vulnerability in the compression mechanism used by Microsoft for SMBv3.1.1. If exploited, this vulnerability would allow an attacker to remotely execute code on affected devices and systems.

Not only that, but the vulnerability is considered "wormable", meaning that should an exploit be unleashed, it won't sit still contained to the attacked device; instead it's liable to burrow into your network and crawl from place to place, spreading its wreckage as it goes.

As such, provided an attacker has already managed to obtain network access, an exploit could result in large swaths of the network being lost to and controlled by malicious parties. Accordingly, the vulnerability is considered maximally severe and has been conferred a CVSS rating of 10/10.

For context, SMB is a popular network protocol built-in to Windows-based systems. The protocol is used for resource sharing over the network, ActiveDirectory, and more. Typically, network administrators will permit SMB communication over port 445 within an organization but not from the outside. 

The vulnerability was given the identifier CVE-2020-0796 and is being popularly referred to as "SMBGhost" and "CoronaBlue".

Disclosure Background

The vulnerability appears to have been leaked prematurely, probably in the course of Microsoft’s efforts to coordinate communications with partners.

For more information on SMBGhost and how it might affect your hospital, contact  CyberMDX now.

As a software superpower with a hand in so much of global computing, Microsoft has a vast and complicated technology partner ecosystem. Some security vendors, for example, partner with the company as part of the Microsoft Active Protections Program (MAPP). One of the benefits of participating in that program is early access to vulnerability news and information to do with MS products and integrations.

In the case of CVE-2020-0796, it seems that Microsoft shared partial information about this vulnerability with MAPP participants and some of those partners in turn errantly released the information more widely. This despite the fact that Microsoft seems to have tried holding off on public disclosure while certain implications of the vulnerability were investigated and patches in development could be fully validated. As a result, when the news of the vulnerability broke on March 11th, it was not accompanied by security updates or technical information.

Affected Devices and Context

According to Microsoft, the vulnerability exists in a new feature released on version 1903 of Windows 10, hence prior versions are unaffected. The affected version are delineated in the table below:

Product name

Versions

Platforms

Windows 10

1903, 1909

32-bit, 64-bit, ARM64

Windows Server

1903, 1909

-

While it's believed that the cross-industry average of SMBGhost-vulnerable Windows devices with open TCP 445 ports is around 6%, the percentage of such devices found in hospitals is significantly lower — accounting for less than 2% of managed Windows devices. For context, only around 27% of a normal hospital's device fleet will be Windows based. So we're looking at just half of one percent of hospital devices placed at risk due to the SMBGhost vulnerability. 

As the vulnerable aspects of the compression mechanism are not present in older versions of Windows technology, this is that strange case where the industry having a consistent technology lag actually plays to its benefit. For hospitals, it's not just that their equipment in general tends to be older, but that so many medical devices are unmanaged and therefore mostly run outdated software versions.

Still, the fact that this vulnerability leaves a comparatively small opening for attackers to exploit says nothing of the potential impact of a successful breach. It's a little like having a state-of-the-art security system guarding the entrances and exits to a bank, but leaving a small open window to the street in the vault. If someone gets in, your losses will likely be limited solely by the intruder's ambition.

In this sense, SMBGhost calls to mind another SMB vulnerability that was exploited to dramatic effect; specifically, the "EternalBlue" vulnerability on which the WannaCry attacks were so famously and devastatingly based.

Recommended Actions

After the vulnerability leaked, Microsoft scrambled to complete and QA the patches they were already working on so that they could be issued as soon as possible. Those efforts culminated in the release of security updates on March 13th. Anyone fielding vulnerable machines is strongly advised to install all applicable updates.

Simply follow the guidance outlined by Microsoft here and click through to the appropriate listing in the Microsoft Update Catalog based on the version of Windows 10 or Windows Server.

CVE-2020-0796-guidance

Of course, to do that you'll need to first have a firm grasp of your device inventory — where you have what type of equipment connected, what operating systems and versions its running, etcetera. 

If for some reason you cannot apply the aforementioned security updates, or cannot do so in a timely manner, you should take the following measures as an immediate workaround:

  • Disable port 445 on stations for which it is not operationally necessary.
    • This is generally recommended as a general best practice and it will make things easier when the next SMB issue inevitably arises.
  • Disable SMBv3 compression using Powershell on stations for which SMB is operationally required.
    • To disable, use the command below —
      • Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
      • This will prevent a malicious endpoint from attacking by initiating a connection to another endpoint. It will not prevent malicious entities from attacking incoming connections coming from other endpoints.
        • Disabling the compression is only effective on the "server side", i.e. for endpoints that listen to SMB rather than those that initiate the communication.
      • No reboot is needed after making the change.
    • To re-enable SMBv3 compression after patches applied, use the command below —
      • Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

Conclusion

With healthcare organizations dealing with so much pressure around COVID-19 and the general milieu of uncertainty, one thing remains clear: cybersecurity challenges must not be ignored as the SMBGhost vulnerability is only the latest in a long-line of mega-vulnerabilities. The cyber landscape will continue to shift and the goal posts will continue to move.

The question we should be asking ourselves isn't what actions we can take to assure our security, but what approach we can take to perpetually improve our security. Almost by definition the required actions will always be different, but the approach on which the best possible outcomes are predicated will remain the same.

We need to keep ourselves and our staffs educated. We need to keep a firm handle over our technology inventory. We need to govern our network communication policies on the basis of fluid and context-aware risk profiling. We need to close ports that have no intended role in a device's normal workflows. We need to continuously monitor digital interactions for suspicious indicators. And above all, we need to be vigilant.

Keeping your hospital running safely, securely, and efficiently will not be easy, but it's hard to think of a job more worthy of your efforts.


Contact CyberMDX today for further guidance and to learn how this vulnerability  contributes to your facility’s risk profile.

Comments