103,000 machines are still vulnerable to SMBGhost attacks

Eight months after Microsoft issued a patch for the critical SMBGhost issues over 100,000 systems exposed online are still vulnerable to this attack.

In March, Microsoft has addressed the critical SMBGhost vulnerability (CVE-2020-0796) in the Server Message Block (SMB) protocol.

“A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.” reads the advisory published by Microsoft.

“To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.”

The exploitation of the SMBGhost flaw exposes systems to a ‘wormable’ attack, which means it would be easy to move from victim to victim.”

The wormable Remote Code Execution (RCE) flaw could allow malware to spread malware across machines without any need for user interaction.

Although Microsoft addressed the issue in March, over 100,000 machines remain vulnerable to attacks exploiting the SMBGhost flaw.

The researcher Jan Kopriva published a post on the SANS ISC Infosec Forums and revealed that over 103 000 machines online are yet to be patched.

“I’m unsure what method Shodan uses to determine whether a certain machine is vulnerable to SMBGhost, but if its detection mechanism is accurate, it would appear that there are still over 103 000 affected machines accessible from the internet. This would mean that a vulnerable machine hides behind approximately 8% of all IPs, which have port 445 open.” reads the post.

Most of the vulnerable machines are located in Taiwan (22%), followed by Japan (20%) and Russia (11%).

In June, the US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory warning that threat actors were using the PoC code to exploit the SMBGhost in attacks in the wild.

“In any case, if the numbers provided by Shodan are accurate, they are concerning to say the least, especially since SMBGhost – as an RCE – is “wormable”. If for whatever reason you still haven’t patched any of your systems, now would seem to be a good time to do so.” concludes the post.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SMBGhost)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.