A security researcher has developed a new proof-of-concept (PoC) code that can exploit an SMBv3 compression remote code execution (RCE) vulnerability on unpatched Windows systems.
Although Microsoft patched the SMBv3 RCE vulnerability CVE-2020-0796 back in March, the researcher going by name of “chompie1337” posted new PoC exploit code on GitHub last week.
Chompie1337 further noted the SMBGhost_RCE_PoC code had only been tested in his lab environment and “needs some work to be more reliable.”
The Cybersecurity and Infrastructure Security Agency (CISA) also confirmed they are aware of publicly available and functional PoC code that can exploit CVE-2020-0796 on unpatched systems.
Furthermore, the Computer Emergency Response Team Coordination Center (CERT/CC) updated an advisory on June 5 with more details to include reference to PoC and previously disclosed vulnerability details.
Microsoft previously disclosed the SMBv3 back in a March advisory:
“A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.”
Shortly afterwards, Bleeping Computer reported that 48,000 Windows hosts were found vulnerable to CVE-2020-0796 RCE attacks, dubbed SMBGhost. Security researchers at cybersecurity firm Kryptos Logic discovered the vulnerability.
Organizations should scan their environments again just to make sure no systems have any systems missing the CVE-2020-0796 patch.
- Microsoft March 2020 Security Updates, fix for SMBv3 RCE vulnerability (updated)
- Joanap Backdoor Trojan and Brambul SMB Worm
- Patch these 10 most commonly exploited vulnerabilities