contact us

SMBGhost: Detailed Information and RiskSense System Filter

by Mar 25, 2020

SMBGhost: Detailed Information and RiskSense System Filter

On March 11, 2020 Microsoft published ADV200005, a security advisory about a critical vulnerability (CVE-2020-0796, aka SMBGhost) affecting versions of Windows 10 and Windows Server 2016 released since May 2019. Typically, advisories of this sort are released along with software patches to remediate the vulnerability. In this case, Microsoft did not release the corresponding updates resulting in an “official” zero-day vulnerability.

SMBGhost is a pre-authentication memory corruption issue affecting SMB 3.1.1 servers and clients. If successfully weaponized this vulnerability could be used for anonymous remote takeover of Windows hosts similar to what is achieved by the ETERNALBLUE exploit used by the WannaCry ransomware.

Information about this vulnerability was leaked to the public ahead of that advisory through a Cisco Talos “Patch Tuesday” analysis including information about this vulnerability; Cisco Talos later removed all information about this vulnerability from that analysis. This removal of information prompted the twitter account “@MalwrHunterTeam” to nickname the vulnerability “SMBGhost”: “it not exists.”

Microsoft released KB4551762 as an out-of-band emergency patch on Thursday, March 12, 2020 to remediate the vulnerability.

RiskSense analysts expect this vulnerability to have less widespread impact than the MS17-010 vulnerabilities associated with the WannaCry malware due to the relatively brief availability of vulnerable versions. Weaponization of the vulnerability may be limited by secondary protection mechanisms such as KASLR used in the affected, modern versions of Windows 10 and Windows Server 2016. Nevertheless, the vulnerability is serious and RiskSense recommends applying the official patches for this vulnerability as soon as possible.

By using RiskSense’s SMBGhost system filter, you can narrow down which hosts are vulnerable to SMBGhost.

To access this system filter in RiskSense, navigate to either the Network > Hosts or Network > Host Findings page. For this example, we will show you how to apply the SMBGhost system filter to the Network > Hosts page.

To apply the SMBGhost system filter, click the system filters () button.

In the system filters menu, click the SMBGhost filter.

The Hosts page is now filtered for hosts vulnerable to SMBGhost.

RiskSense Logo

RiskSense®, Inc. provides vulnerability management and remediation prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform delivers Risk-Based Vulnerability Management, Application Security Orchestration and Correlation, in addition to our Vulnerability Knowledge Base.These products bring insight to the wide views of vulnerability risk with adversarial threat-context and ties to ransomware. With Vulnerability Risk Rating, threat analytics, and automated playbooks prioritize actions for critical security weaknesses dramatically improving security and IT efficiency and effectiveness of managing attack surface risk.

Contact us at

+1 505-217-9422

Follow Risksense on LinkedIn Follow Risksense on Twitter

© 2021 RiskSense, Inc. All rights reserved.
Legal Notices, Privacy Policy, and Customer Agreements | Site Map