CVE-2020-0796: Remote Code Execution in Windows SMBv3 (SMBGhost)
Vulnerability ID: CVE-2020-0796
CVSS Score: 10.0
Published: 2020-03-12
CVE-2020-0796 is a critical remote code execution (RCE) vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol. The flaw resides in the way the SMBv3 protocol handles certain compression requests within the srv2.sys kernel driver, allowing an unauthenticated attacker to execute arbitrary code with SYSTEM privileges.
TL;DR
An integer overflow in the Windows SMBv3 decompression routine leads to a kernel heap buffer overflow, allowing unauthenticated remote attackers to execute arbitrary code as SYSTEM via port 445.
⚠️ Exploit Status: WEAPONIZED
Technical Details
- CWE ID: CWE-119
- Attack Vector: Network
- CVSS Score: 10.0 (Critical)
- EPSS Score: 0.94408
- Impact: Unauthenticated Remote Code Execution as SYSTEM
- Exploit Status: Weaponized
- CISA KEV: Listed
Affected Systems
- Windows 10 Version 1903
- Windows 10 Version 1909
- Windows Server Version 1903
- Windows Server Version 1909
- Windows 10: 1903
- Windows 10: 1909
- Windows Server: 1903
- Windows Server: 1909
Exploit Details
- GitHub (danigargu): LPE Exploit
- GitHub (jamf): RCE Exploit
- GitHub (ly4k): Scanner
- PacketStorm: SMBv3 Compression Buffer Overflow PoC
Mitigation Strategies
- Apply the official Microsoft out-of-band patch or cumulative update.
- Disable SMBv3 compression via the Windows Registry.
- Block inbound TCP port 445 at the network perimeter.
Remediation Steps:
- Identify all Windows 10 and Windows Server instances running versions 1903 and 1909.
- Deploy the March 2020 security update to affected endpoints.
- If patching is delayed, execute the PowerShell command to set the DisableCompression registry key to 1.
- Verify perimeter firewall rules strictly block inbound connections on port 445 from untrusted networks.
References
- Microsoft Security Guidance: CVE-2020-0796
- Fortinet Analysis: CVE-2020-0796 Root Cause
- Synacktiv: Technical Write-up (I'm SMBGhost)
- ZecOps: SMBGhost Exploitation Analysis
- PacketStorm: SMBv3 Compression Buffer Overflow PoC
Read the full report for CVE-2020-0796 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)