Mon. Jul 13th, 2020

Researcher published Microsoft SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796) PoC

2 min read

Recently, we have detected that researchers have published PoC for the remote code execution vulnerability of the SMBv3 protocol (CVE-2020-0796), which greatly increased the potential harm of the vulnerability. Users who have not fixed the vulnerability take measures as soon as possible for protection.

Microsoft Server Message Block 3.1.1 (SMBv3) protocol has a code execution vulnerability in the way it handles certain requests. An attacker can carefully construct a data packet and send it to an SMB server. Without authentication, it can execute arbitrary code on the target server. The attacker can deploy a malicious SMB v3 server and induce the user to connect to the server. Once the target user connects, the attacker’s customized malicious code can be executed on the computer. Because the above vulnerability is similar to the Eternal Blue vulnerability, it is easy to be used by worms to spread malicious programs, which may become a vulnerability widely used by malware and attackers.

Affected version

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

On April 14, a researcher released a demo video for exploiting this vulnerability

Recently, the researchers announced the remote exploitation code of this vulnerability, and the actual threat increased.

We recommend Windows 10 users to update the patch (KB4551762) which Microsoft published.