Home Malware Programs Vulnerability SMBGhost


Posted: March 13, 2020

SMBGhost (also known as EternalDarkness and CVE-2020-0796) is a Windows vulnerability that concerns the Server Message Block (SMB) Protocol used by multiple Windows versions. The same protocol was exploited by high-profile threats such as the WannaCry Ransomware and the Petya Ransomware in 2017 – the previous SMB exploit, dubbed EternalBlue, allowed cybercriminals to enhance the reach of their attacks greatly since it enabled their threats to display worm-like behavior. Ever since the infamous WannaCry Ransomware outbreak, system administrators are worried about seeing a new SMB vulnerability that may enable cybercriminals to launch a large-scale attack once again.

The good news is that the SMBGhost vulnerability is yet to be weaponized, and there is a significant chance that it might be a while before cyber crooks manage to exploit this security hole. The reason for this is rather surprising – Microsoft has already developed a security patch for this vulnerability, and it is expected to be released in the next few weeks. In fact, the SMBGhost was announced to the public by Microsoft accidentally – it is not clear how this happened, but experts suggest that it might be linked to the Microsoft Active Protections Program (MAPP) or the Common Vulnerability Reporting Framework (CVRF).

The good thing about the SMBGhost (or EternalDarkness) vulnerability is that there is no proof-of-concept code available – this means that there is no program capable of exploiting this security hole yet. Another fact worth noting is that the bug only impacts SMBv3 – the latest versions of the SMB protocol are not being used in old Windows versions like Vista, 7 and 8. This means that only recent releases of the Windows Server and the Windows 10 are considered to be vulnerable.

Although a patch for SMBGhost is scheduled to be released very soon, you can already take the required measures to protect your network from it by applying the following security tips:

  • Disable SMBv3 compression.
  • Filter Internet traffic through TCP port 445.
  • Install and activate a reputable antivirus product.

Hopefully, we will not hear about SMB exploits anymore, because they have proven to be very threatening when abused in combination with a high-level threat like the Petya Ransomware or the WannaCryptor Ransomware (WanaCrypt0r Ransomware).