Azure ATP now detects SMBGhost
The SMB vulnerability CVE-2020-0796, also known as “SMBGhost” or “CoronaBlue”, was published the 12th March.
This CVE is about a potential remote code execution due to a buffer overflow vulnerability in the way SMBv3 (3.1.1) handles SMBv2 compression requests. The vulnerability affects Windows 10 and Windows Server 2019 versions 1903 and 1909.
The attackers will exploit this vulnerability to try to gain control of the remote servers without authenticating.
The vulnerability has the potential to become widely spread, similar to the way EternalBlue exploited the SMB protocol in 2017.
It’s important to protect critical Windows servers by installing a patch, KB4551762, or following other suggested mitigations and workarounds.
In addition, a new Azure ATP detection release permits to look for use of this vulnerability on unpatched Domain Controllers. The detection identifies crafted packets attempting to exploit SMBv3.