%3CLINGO-SUB%20id%3D%22lingo-sub-1300658%22%20slang%3D%22en-US%22%3EAzure%20ATP%20now%20detects%20SMBGhost%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1300658%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EThis%20post%20is%20authored%20by%26nbsp%3B%3C%2FEM%3E%3CEM%3EMor%3C%2FEM%3E%3CEM%3E%20Rubin%2C%20Security%20Researcher%2C%20Azure%20ATP.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20SMB%20vulnerability%20%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2020-0796%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECVE-2020-0796%3C%2FA%3E%2C%20also%20known%20as%20%E2%80%9CSMBGhost%E2%80%9D%20or%20%E2%80%9CCoronaBlue%E2%80%9D%2C%20was%20published%20a%20few%20days%20ago.%20This%20CVE%20is%20about%20a%20potential%20remote%20code%20execution%20due%20to%20a%20buffer%20overflow%20vulnerability%20in%20the%20way%20SMBv3%20(3.1.1)%20handles%20SMBv2%20compression%20requests.%20The%20vulnerability%20affects%20Windows%2010%20and%20Windows%20Server%202019%20versions%201903%20and%201909.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20few%20proofs%20of%20concept%20that%20trigger%20this%20vulnerability%20have%20been%20published%20already%20%E2%80%93%20one%20of%20them%20is%20on%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Feerykitty%2FCVE-2020-0796-PoC%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGitHub%3C%2FA%3E.%20So%20far%2C%20the%20tools%20published%20online%20are%20expected%20to%20cause%20a%20%E2%80%9Cblue%20screen%E2%80%9D%20if%20the%20target%20Windows%20server%20is%20vulnerable%20to%20this%20issue.%20As%20most%20of%20the%20critical%20servers%20in%20an%20organization%20are%20Windows%20servers%2C%20attackers%20will%20exploit%20this%20vulnerability%20to%20try%20to%20gain%20control%20of%20the%20remote%20servers%20without%20authenticating.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20vulnerability%20has%20the%20potential%20to%20become%20widely%20spread%2C%20similar%20to%20the%20way%20EternalBlue%20exploited%20the%20SMB%20protocol%20in%202017.%20It%E2%80%99s%20important%20to%20protect%20critical%20Windows%20servers%20by%20installing%20a%20patch%2C%20%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2020-0796%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EKB4551762%3C%2FA%3E%2C%20%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2020-0796%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eor%20following%20other%20suggested%20mitigations%20and%20workaround%3C%2FA%3Es.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%2C%20to%20help%20our%20customers%20stay%20secure%2C%20we%20are%20releasing%20a%20new%20Azure%20ATP%20detection%20that%20looks%20for%20use%20of%20this%20vulnerability%20on%20unpatched%20Domain%20Controllers.%20The%20detection%20identifies%20crafted%20packets%20attempting%20to%20exploit%20SMBv3.%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorTal%20Maor_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22SMBAlert.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F183765iDF983FE6D3506815%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22SMBAlert.png%22%20alt%3D%22SMBAlert.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EGet%20Started%20Today%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EAzure%20ATP%20leverages%20your%20Active%20Directory%20signals%2C%20the%20cloud%20intelligence%20underpinning%20all%20Microsoft%E2%80%99s%20security%20services%2C%20and%20identity-focused%20detections%20updated%20at%20cloud%20scale%20to%20prevent%2C%20detect%2C%20and%20investigate%20identity-based%20threats%2C%20compromised%20and%20malicious%20users%2C%20and%20lateral%20movement%20of%20on-premises%20attacks.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ELearn%20more%20about%20Azure%20ATP%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETechnical%20Documentation%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EStart%20a%20trial%20from%20our%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Ffeatures%2Fazure-advanced-threat-protection%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Advanced%20Threat%20Protection%20product%20page%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EJoin%20the%20Azure%20ATP%20community%3A%26nbsp%3Bon%20our%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Advanced-Threat-Protection%2Fbd-p%2FAzureAdvancedThreatProtection%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ETech%20Community%3C%2FA%3E%26nbsp%3Bor%20on%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.yammer.com%2Fazureadvisors%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EYammer%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1300658%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20ATP%20detection%20for%20SMB%20vulnerability%20%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-US%2Fsecurity-guidance%2Fadvisory%2FCVE-2020-0796%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ECVE-2020-0796%3C%2FA%3E%2C%20also%20known%20as%20%E2%80%9CSMBGhost%E2%80%9D%20or%20%E2%80%9CCoronaBlue%2C%E2%80%9D%20released%20a%20few%20days%20ago%26nbsp%3Bto%20help%20our%20customers%20stay%20secure.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1300658%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Advanced%20Threat%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEnterprise%20Mobility%20%2B%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

This post is authored by Mor Rubin, Security Researcher, Azure ATP.

 

The SMB vulnerability CVE-2020-0796, also known as “SMBGhost” or “CoronaBlue”, was published a few days ago. This CVE is about a potential remote code execution due to a buffer overflow vulnerability in the way SMBv3 (3.1.1) handles SMBv2 compression requests. The vulnerability affects Windows 10 and Windows Server 2019 versions 1903 and 1909.

 

A few proofs of concept that trigger this vulnerability have been published already – one of them is on GitHub. So far, the tools published online are expected to cause a “blue screen” if the target Windows server is vulnerable to this issue. As most of the critical servers in an organization are Windows servers, attackers will exploit this vulnerability to try to gain control of the remote servers without authenticating.

 

The vulnerability has the potential to become widely spread, similar to the way EternalBlue exploited the SMB protocol in 2017. It’s important to protect critical Windows servers by installing a patch, KB4551762, or following other suggested mitigations and workarounds.

 

In addition, to help our customers stay secure, we are releasing a new Azure ATP detection that looks for use of this vulnerability on unpatched Domain Controllers. The detection identifies crafted packets attempting to exploit SMBv3.

 

SMBAlert.png

 

 

Get Started Today

Azure ATP leverages your Active Directory signals, the cloud intelligence underpinning all Microsoft’s security services, and identity-focused detections updated at cloud scale to prevent, detect, and investigate identity-based threats, compromised and malicious users, and lateral movement of on-premises attacks.