Posted June 17, 2020
Unfortunately, the cybersecurity industry saw this coming. When you combine a remote code execution (RCE) vulnerability allowing privilege escalation, you get a weaponizable and wormable network-based vulnerability. According to researchers, this exploit known as SMBGhost (CVE-2020-0796), has started being seen in the wild, targeting unpatched Windows systems via Microsoft Server Message Block (SMBv3) for Windows 10 and Windows Server versions 1903 and 1909.
To exploit the SMBGhost vulnerability, an attacker sends specially crafted packets to a target host or lure a client to connect to a malicious attacker-controlled SMB server. There are already tools that scan for such vulnerable servers and exploitations that have proven both denial of service and privilege escalation capabilities.
Microsoft suggests blocking SMB at the perimeter firewall (TCP/445) which is already a good security practice, however, organizations that utilize the protocol for internal purposes are left defenseless to exploitation already inside the internal network. Internal network security controls and segmentation are vital to restricting and stopping lateral movement of such vulnerabilities. Although, Microsoft officially released a patch in March 2020, there are still a large number of reported vulnerable hosts still in existence.
Unlike traditional perimeter security solutions, the LookingGlass Aeonik Security Fabric can be deployed on the perimeter and throughout the internal network in a seamless fabric-based architecture, enabling both visibility and protection of network-based vulnerabilities, including SMBGhost among many others.
Aeonik includes the following configuration options when a vulnerable server is detected. These include the default settings of a threshold of 300 seconds for an alert suppression interval based on SMBGhost exploit attempts and a default action of TCP Reset to close the connection once detected to reduce the possibility of compromise utilizing this attack vector.
Aeonik includes SMBGhost specific detection within its Vulnerability Pack. This enables inspection of SMB protocol connection across the deployed fabric searching for vulnerable hosts in both the dialect revision and context count during negotiation.
As shown below, replaying a packet capture of the vulnerability through an Aeonik Network Node, results in a detected alert within the system.
If deployed inline, between the attacker and the targeted host, Aeonik can prevent exploitation of SMBGhost from occurring. If the SMB connection is deemed vulnerable either from a client or server perspective, Aeonik, based on protocol and threat analysis determining a valid threat, can be instructed by an administrative policy to immediately issue a mitigation action to close the connection. Each detection will create a corresponding alert, allowing the user to identify vulnerable hosts on the network and perform remediations appropriately while allowing for necessary time by shielding exploitation attempts to patch vulnerable systems.
In summary, as with any effective security posture, always patch your systems as soon as possible. In practice, this is almost never the case with competing business needs and priorities of the organization. No matter the reason, Aeonik can help. The Aeonik Security Fabric offers numerous features and capabilities providing a holistic view across your enterprise, in addition to both detection and mitigation including the ever more dangerous SMBGhost vulernability.
If you would like to discuss how Aeonik can help meet your visibility and protection needs, please contact me on Twitter @tweet_c_d.