⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-08-10.

CVE-2020-0796

CWE-119 — Buffer Overflow21 documents13 sources

Severity

10.0CRITICAL

EPSS

94.4%

top 0.02%

CISA KEV

KEVRansomware

Added 2022-02-10

Due 2022-08-10

Exploit

Exploited in wild

Active exploitation observed

Affected products

Microsoft Windows 10 Version 1903 FOR 32-bit Systems Microsoft Windows 10 Version 1903 FOR Arm64-based Systems Microsoft Windows 10 Version 1903 FOR X64-based Systems +3 more

Timeline

PublishedMar 12

KEV addedFeb 10

Latest updateMay 24

KEV dueAug 10

CISA Required Action: Apply updates per vendor instructions.

Description

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages6 packages

▶CVEListV5microsoft/windows_10_version_1903_for_32-bit_systemsunspecified

▶CVEListV5microsoft/windows_10_version_1909_for_32-bit_systemsunspecified

▶CVEListV5microsoft/windows_10_version_1903_for_x64-based_systemsunspecified

▶CVEListV5microsoft/windows_10_version_1909_for_x64-based_systemsunspecified

▶CVEListV5microsoft/windows_10_version_1903_for_arm64-based_systemsunspecified

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-vh23-87v3-h8c6: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3↗2022-05-24

▶

CVEList

CVE-2020-0796: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3↗2020-03-12

▶

VulnCheck

Microsoft SMBv3 Remote Code Execution Vulnerability↗2020

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Windows - 'SMBGhost' Remote Code Execution↗2020-06-02

▶

Exploit-DB

Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation↗2020-03-30

▶

Exploit-DB

Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)↗2020-03-14

▶

Nuclei

Microsoft SMBv3 - Remote Code Execution

▶

📋Vendor Advisories

CISA

Microsoft SMBv3 Remote Code Execution Vulnerability↗2022-02-10

▶

Microsoft

Windows SMBv3 Client/Server Remote Code Execution Vulnerability↗2020-03-10

▶

🕵️Threat Intelligence

Qualys

Automatically Discover, Prioritize and Remediate Microsoft SMBv3 RCE Vulnerability (CVE-2020-0796) using Qualys VMDR | Qualys↗2020-03-16

▶

Qualys

Automatically Discover, Prioritize and Remediate Microsoft SMBv3 RCE Vulnerability (CVE-2020-0796) using Qualys VMDR↗2020-03-16

▶

Tenable

Media Alert: Tenable Releases Plugins for EternalDarkness↗2020-03-13

▶

Fortinet

CVE-2020-0796 Memory Corruption Vulnerability in Windows 10 SMB Server | FortiGuard Labs↗2020-03-12

▶

Qualys

Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796)↗2020-03-11

▶