Need a (SMB)Ghost Buster?
How CloudShield Eclipse Handles SMB Exploits

Posted June 17, 2020

Smb Figure 1 Ghostbuster

Unfortunately, the cybersecurity industry saw this coming.  When you combine a remote code execution (RCE) vulnerability allowing privilege escalation, you get a weaponizable and wormable network-based vulnerability.

What is SMBBGhost?

According to researchers, SMBGhost (CVE-2020-0796) is a smb exploit that has started being seen in the wild, targeting unpatched Windows systems via Microsoft Server Message Block (SMBv3) for Windows 10 and Windows Server versions 1903 and 1909.

To exploit the SMBGhost vulnerability, an attacker sends specially crafted packets to a target host or lure a client to connect to a malicious attacker-controlled SMB server.  There are already tools that scan for such vulnerable servers and exploitations that have proven both denial of service and privilege escalation capabilities.

Microsoft suggests blocking SMB at the perimeter firewall (TCP/445) which is already a good security practice, however, organizations that utilize the protocol for internal purposes are left defenseless to exploitation already inside the internal network.  Internal network security controls and segmentation are vital to restricting and stopping lateral movement of such vulnerabilities.  Although Microsoft officially released a patch in March 2020, there are still a large number of reported vulnerable hosts still in existence.

How does CloudShield Eclipse handle SMBGhost?

Unlike traditional perimeter security solutions, LookingGlass CloudShield Eclipse can  be deployed on the perimeter and throughout the internal network in a seamless fabric-based architecture, enabling both visibility and protection of network-based vulnerabilities, including SMBGhost among many others.

Smb Figure 2 Network Topology With Aeonik
Figure 2 - Network Topology With Aeonik

CloudShield Eclipse includes the following configuration options when a vulnerable server is detected.  These include the default settings of a threshold of 300 seconds for an alert suppression interval based on SMBGhost exploit attempts and a default action of TCP Reset to close the connection once detected to reduce the possibility of compromise utilizing this attack vector.

Smb Figure 3 Aeonik Smbghost Configuration
Figure 3 - Aeonik SMBGhost Configuration

Detection

CloudShield Eclipse includes SMBGhost specific detection within its Vulnerability Pack.  This enables inspection of SMB protocol connection across the deployed fabric searching for vulnerable hosts in both the dialect revision and context count during negotiation.

As shown below, replaying a packet capture of the vulnerability through a CloudShield Eclipse Network Node, results in a detected alert within the system.

Smb Figure 4 Smbghost Attempt
Figure 4 - SMBGhost Attempt
Smb Figure 5 Aeonik Smbghost Alerts
Figure 5 - Aeonik SMBGhost Alerts

Mitigation

If deployed inline, between the attacker and the targeted host, CloudShield Eclipse can prevent smb exploits from occurring.  If the SMB connection is deemed vulnerable either from a client or server perspective, CloudShield Eclipse, based on protocol and threat analysis determining a valid threat, can be instructed by an administrative policy to immediately issue a mitigation action to close the connection.  Each detection will create a corresponding alert, allowing the user to identify vulnerable hosts on the network and perform remediations appropriately while allowing for necessary time by shielding exploitation attempts to patch vulnerable systems.

As with any effective security posture, always patch your systems as soon as possible.  In practice, this is almost never the case with competing business needs and priorities of the organization.  No matter the reason, CloudShield Eclipse can help.  CloudShield Eclipse offers numerous features and capabilities providing a holistic view across your enterprise, in addition to both detection and mitigation of various smb exploits including the ever more dangerous SMBGhost vulnerabilities..

If you would like to discuss how CloudShield Eclipse can help meet your visibility and protection needs, please contact me on Twitter or reach out to us directly to schedule a demo.

Additional Posts

LookingGlass Cyber Solutions Announces Engagement with Defense Innovation Unit

Cyber technology leader to support commercial threat data analytics for the Department of Defense ...

Making Cybersecurity Policy Work For You: Tunable Security Mitigation At Attack Speed

CloudShield Eclipse introduces real-time Cybersecurity Policy Orchestration & Enforcement, ...