How to scan for SMB vulnerabilities

Not too long in the wake of the WannaCry Ransomware attack that crippled companies, government branches, and emergency services alike a new SMB vulnerability was accidentally leaked by Microsoft’s internal testing team. This vulnerability only impacts SMBv3, this means that Windows 7 and Windows Server 2008 R2 are safe from attack.
With successful exploitation, an attacker can gain full control of the remote system that is being targeted without any authentication by sending a specially crafted packet. To attack SMB clients a malicious SMB server would have to be set up by the attacker.

There is no known way to protect SMB clients, but for SMB servers two measures can be taken:

1. Set your firewall policy to BLOCK firewall all traffic to port 445.
2. Disable SMBv3 compression in the Windows Registry.

To disable compression for SMB, follow the instructions below:

1. Start an elevated PowerShell prompt by right-clicking and selecting “Run as Administrator”.
2. Execute the following command:

No attacks have been observed in the wild, but until Microsoft releases patch prevention is all we can do.

BreachLock Inc. has included the checks for CVE-2020-0796 in its RATA (Reliable Attack Testing Automation) Vulnerability Scanner. These checks are made available to all BreachLock clients on March 12^th, 2020 as a part of the network scanning module. Schedule a call today to learn more about Breachlock offerings.