%3CLINGO-SUB%20id%3D%22lingo-sub-1281568%22%20slang%3D%22en-US%22%3EAzure%20ATP%20now%20detects%20SMBGhost%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1281568%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EThis%20post%20is%20authored%20by%26nbsp%3B%3C%2FEM%3E%3CEM%3EMor%3C%2FEM%3E%3CEM%3E%20Rubin%2C%20Security%20Researcher%2C%20Azure%20ATP.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20SMB%20vulnerability%20%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2020-0796%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECVE-2020-0796%3C%2FA%3E%2C%20also%20known%20as%20%E2%80%9CSMBGhost%E2%80%9D%20or%20%E2%80%9CCoronaBlue%E2%80%9D%2C%20was%20published%20a%20few%20days%20ago.%20This%20CVE%20is%20about%20a%20potential%20remote%20code%20execution%20due%20to%20a%20buffer%20overflow%20vulnerability%20in%20the%20way%20SMBv3%20(3.1.1)%20handles%20SMBv2%20compression%20requests.%20The%20vulnerability%20affects%20Windows%2010%20and%20Windows%20Server%202019%20versions%201903%20and%201909.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20few%20proofs%20of%20concept%20that%20trigger%20this%20vulnerability%20have%20been%20published%20already%20%E2%80%93%20one%20them%20on%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Feerykitty%2FCVE-2020-0796-PoC%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGitHub%3C%2FA%3E.%20So%20far%2C%20the%20tools%20published%20online%20are%20expected%20to%20cause%20a%20%E2%80%9Cblue%20screen%E2%80%9D%20if%20the%20target%20Windows%20server%20is%20vulnerable%20to%20this%20issue.%20As%20most%20of%20the%20critical%20servers%20in%20an%20organization%20are%20Windows%20servers%2C%20attackers%20will%20exploit%20this%20vulnerability%20to%20try%20to%20gain%20control%20of%20the%20remote%20servers%20without%20authenticating.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20vulnerability%20has%20the%20potential%20to%20become%20widely%20spread%2C%20similar%20to%20the%20way%20EternalBlue%20exploited%20the%20SMB%20protocol%20in%202017.%20It%E2%80%99s%20important%20to%20protect%20critical%20Windows%20servers%20by%20installing%20a%20patch%2C%20%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2020-0796%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EKB4551762%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2020-0796%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eor%20following%20other%20suggested%20mitigations%20and%20workaround%3C%2FA%3Es.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%2C%20to%20help%20our%20customers%20stay%20secure%2C%20we%20are%20releasing%20a%20new%20Azure%20ATP%20detection%20that%20looks%20for%20use%20of%20this%20vulnerability%20on%20unpatched%20Domain%20Controllers.%20The%20detection%20identifies%20crafted%20packets%20attempting%20to%20exploit%20SMBv3.%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorTal%20Maor_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSTRONG%3EGet%20Started%20Today%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAzure%20ATP%20leverages%20your%20Active%20Directory%20signals%2C%20the%20cloud%20intelligence%20underpinning%20all%20Microsoft%E2%80%99s%20security%20services%2C%20and%20identity-focused%20detections%20updated%20at%20cloud%20scale%20to%20prevent%2C%20detect%2C%20and%20investigate%20identity-based%20threats%2C%20compromised%20and%20malicious%20users%2C%20and%20lateral%20movement%20of%20on-premises%20attacks.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ELearn%20more%20about%20Azure%20ATP%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETechnical%20Documentation%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EStart%20a%20trial%20from%20our%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Ffeatures%2Fazure-advanced-threat-protection%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Advanced%20Threat%20Protection%20product%20page%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EJoin%20the%20Azure%20ATP%20community%3A%26nbsp%3Bon%20our%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Advanced-Threat-Protection%2Fbd-p%2FAzureAdvancedThreatProtection%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ETech%20Community%3C%2FA%3E%26nbsp%3Bor%20on%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.yammer.com%2Fazureadvisors%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EYammer%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1281568%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20ATP%20detection%20for%20SMB%20vulnerability%20%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2020-0796%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ECVE-2020-0796%3C%2FA%3E%2C%20also%20known%20as%20%E2%80%9CSMBGhost%E2%80%9D%20or%20%E2%80%9CCoronaBlue%2C%E2%80%9D%20released%20a%20few%20days%20ago%26nbsp%3Bto%20help%20our%20customers%20stay%20secure.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1281568%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Advanced%20Threat%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEnterprise%20Mobility%20%2B%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1287433%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20now%20detects%20SMBGhost%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1287433%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20nice%20and%20dandy%2C%20but%20sounds%20a%20bit%20weird%20that%20MS%20by%20letting%20that%20nasty%20vulnerability%20in%20their%20newest%20and%20%22safest%22%20version%20of%20Windows%2010%20through%20now%20sells%20this%20as%20a%20feature%20in%20ATP.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1291520%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20now%20detects%20SMBGhost%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1291520%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F33735%22%20target%3D%22_blank%22%3E%40Oleg%20K%3C%2FA%3E%26nbsp%3BMicrosoft%20has%20patched%20the%20vulnerability%20in%202%20days.%20Get%20the%20latest%20updates%20and%20you%20should%20be%20good.%20ATP%20will%20detect%20it%20on%20unpatched%20machines.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1339428%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20now%20detects%20SMBGhost%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1339428%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20about%20Advanced%20Threat%20Analytics%20(ATA)%2C%20the%20on-premise%20version%20of%20ATP%3B%20will%20that%20get%20this%20capability%3F%20Not%20everyone%20wants%20an%20ATP%20subscription.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1340589%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20now%20detects%20SMBGhost%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1340589%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F220326%22%20target%3D%22_blank%22%3E%40Mirza%20Dedic%3C%2FA%3E%26nbsp%3B%20thanks%20for%20questions%2C%20it%20is%20currently%20available%20in%20Azure%20ATP%20only.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

This post is authored by Mor Rubin, Security Researcher, Azure ATP.

 

The SMB vulnerability CVE-2020-0796, also known as “SMBGhost” or “CoronaBlue”, was published a few days ago. This CVE is about a potential remote code execution due to a buffer overflow vulnerability in the way SMBv3 (3.1.1) handles SMBv2 compression requests. The vulnerability affects Windows 10 and Windows Server 2019 versions 1903 and 1909.

 

A few proofs of concept that trigger this vulnerability have been published already – one them on GitHub. So far, the tools published online are expected to cause a “blue screen” if the target Windows server is vulnerable to this issue. As most of the critical servers in an organization are Windows servers, attackers will exploit this vulnerability to try to gain control of the remote servers without authenticating.

 

The vulnerability has the potential to become widely spread, similar to the way EternalBlue exploited the SMB protocol in 2017. It’s important to protect critical Windows servers by installing a patch, KB4551762, or following other suggested mitigations and workarounds.

 

In addition, to help our customers stay secure, we are releasing a new Azure ATP detection that looks for use of this vulnerability on unpatched Domain Controllers. The detection identifies crafted packets attempting to exploit SMBv3.

 

Get Started Today

Azure ATP leverages your Active Directory signals, the cloud intelligence underpinning all Microsoft’s security services, and identity-focused detections updated at cloud scale to prevent, detect, and investigate identity-based threats, compromised and malicious users, and lateral movement of on-premises attacks.

 

4 Comments
Super Contributor

It's nice and dandy, but sounds a bit weird that MS by letting that nasty vulnerability in their newest and "safest" version of Windows 10 through now sells this as a feature in ATP.

Occasional Contributor

@Oleg K Microsoft has patched the vulnerability in 2 days. Get the latest updates and you should be good. ATP will detect it on unpatched machines. 

New Contributor

What about Advanced Threat Analytics (ATA), the on-premise version of ATP; will that get this capability? Not everyone wants an ATP subscription.

Microsoft

@Mirza Dedic  thanks for questions, it is currently available in Azure ATP only.