Threat Analysis Unit

Threat Analysis: CVE-2020-0796 – EternalDarkness (ghostSMB)

On March 10, 2020 analysis of a SMB vulnerability was inadvertently shared, under the assumption that Microsoft was releasing a patch for that vulnerability (CVE-2020-0796).  As of March 12, Microsoft has since released a patch for CVE-2020-0796, which is a vulnerability specifically affecting SMB3.  

Specifically this vulnerability would allow an unauthenticated attacker to exploit this vulnerability by sending a specially crafted packet to a vulnerable SMBv3 Server.  Similarly if an attacker could convince or trick a user into connecting to a malicious SMBv3 Server, then the user’s SMB3 client could also be exploited. Regardless if the target or host is successfully exploited, this would grant the attacker the ability to execute arbitrary code.

In addition to disabling SMB compression on an impacted server, Microsoft advised blocking any inbound or outbound traffic on TCP port 445 at the perimeter firewall. Additionally the Computer Emergency Response Team Coordination Center (CERT/CC) advised that organizations should verify that SMB connections from the internet are not allowed to connect inbound to an enterprise LAN.

Microsoft has released a patch for this vulnerability last week. You can view and download patches for impacted systems here.  Remember, the compensating controls provided by Microsoft only apply to SMB servers. SMB clients are still impacted by this vulnerability and its critical these patches are applied as soon as possible to limit exposure. 

VMware Carbon Black technologies are built with some fundamental Operating System trust principals in mind. From time to time a new attack technique will come along that breaks these trust boundaries. Oftentimes these trust boundaries affect the building blocks of the operating system security model. Sometimes new attack techniques make front page news but it’s important to take a step back and not get caught up in the headlines. These techniques, which are part of the exploitation phase, end up being a very small piece in the overall attacker kill chain.

It is important to remember that these attacks don’t happen in isolation. There are a series of steps that occur both before and after initial infection. Regardless of the attackers’ motives or skill levels, the delivery or exploitation that provides them access into a network is just the beginning stages of the overall process. A process that almost always includes additional payloads or tools, privilege escalation or credential access, and lateral movement. And all of this before the attackers can begin to identify and steal the data that they are after. VMware Carbon Black aims to detect portions of the kill-chain that an attacker must pass through in order to achieve these actions and complete their objective. There are a large number of exploit detection techniques within VMware Carbon Black platform as well as hundreds of detection and prevention capabilities across the entire kill-chain. 

The table below lists the known affected Operating System versions, released by Microsoft.

Windows Server

Version 1903 (Server Core Installation)

Version 1909 (Server Core Installation)

Windows 10

Version 1903 for 32-bit Systems

Version 1903 for ARM64-based Systems

Version 1903 for x64-based Systems

Version 1909 for 32-bit Systems

Version 1909 for ARM64-based Systems

Version 1909 for x64-based Systems

Proactive Measures and Mitigations

VMware Carbon Black is providing several methods to determine if endpoints or servers in your environment are vulnerable to CVE-2020-0796.

Identification and Mitigation of Affected Systems

VMware Carbon Black TAU has published a PowerShell script to detect and mitigate EternalDarkness in our public ‘tau-tools’ github repository: EternalDarkness. This script will identify if a machine has active SMB shares, is running an OS version impacted by this vulnerability, and check to see if the disabled compression mitigating keys are set and optionally set mitigating keys. It can be leveraged with any endpoint configuration management tools that support powershell along with LiveResponse. 

PowerShell Execution:

Figure 1: EternalDarkness Powershell output

Live Response – Remote Execution

Leveraging VMware Carbon Black’s LiveResponse API, we can extend the PowerShell script and run this across a fleet of systems remotely. The LiveResponse script is a Python3 wrapper located in the EternalDarkness GitHub repository. uploads the aforementioned PowerShell script and can run checks or implement mitigations depending the options provided at run-time, across the full VMware Carbon Black product line.

Figure 2: LiveResponse Eternal Darkness output

CBC Audit and Remediation Query

Additionally there is a new CBC Audit and Remediation search in the query catalog tiled Windows SMBv3 Client/Server Remote Code Execution Vulnerability (CVE-2020-0796) which can be run across your environment to identify impacted hosts. This query will identify if a machine has active SMB shares, is running an OS version impacted by this vulnerability, check to see if the disabled compression mitigating keys are set, and see if the system is patched. CBC Audit and Remediation customers will be able to quickly quantify the level of impact this vulnerability has in their network.

Figure 3: CBC Audit and Remediation CVE Search Results

There is also an existing query in the CBC Audit and Remediation query catalog that can be used to detect rogue SMB shares within your network. You can find this query in the IT Hygiene portion of the catalog named Rogue Share Detection. It’s recommended you run this query daily to have a constant heartbeat on active SMB shares in your network. 

Figure 4: CBC Audit and Remediation Rouge Share Search

Enterprise EDR Queries

We have also deployed detections to our enterprise EDR products that look for the disable compression key being modified and for modifications of Windows shares. We believe that attackers could set this key to turn off compensating controls in order to be successful in gaining remote access to systems prior to organizations patching their environment. Coupled with accessing Windows shares, an attacker would be able to successfully exercise lateral movement and execute arbitrary code.

Helpful Links