Working exploit code that achieves remote code execution on Windows 10 machines is now publicly available for CVE-2020-0796, a critical vulnerability in Microsoft Server Message Block (SMB 3.1.1).
More refined versions of the exploit are expected to emerge, especially since at least two cybersecurity companies created exploits for the vulnerability and have been holding back the release since April.
Critical severity
Known by various names (SMBGhost, CoronaBlue, NexternalBlue, BluesDay), the security flaw can be leveraged by an unauthenticated attacker to spread malware from one vulnerable system to another without user interaction.
SMBGhost affects Windows 10 versions 1909 and 1903, including Server Core. Microsoft patched it in March, warning that exploitation is “more likely” on both older and newer software releases and that it is as critical as can be: maximum severity score of 10.
All an attacker would need to do to exploit it is send a specially crafted packet to a targeted SMBv3 server. The result would be similar to the WannaCry and NotPetya attacks from 2017, which used the EternalBlue exploit for SMB v1.
Exploit code for SMBGhost
After the vulnerability leaked in March, security researchers started to find a way to exploit SMBGhost but the results were limited to local privilege escalation (LPE) and denial of service (blue screen).
Cybercriminals have been leveraging the vulnerability to escalate local privileges and deliver malware pieces (1, windows smbghost public proof concept exploit
