Blog & News

If There’s Something Strange in Your SMB, Who You Gonna Call?

In March, 2020, Microsoft cryptically released information on CVE-2020-0796 — dubbed SMBGhost because of the effect it has on Server Message Block (SMB) v3.1.1. Cybersecurity teams scrambled to apply workarounds while they waited for Microsoft to release an official patch.

SMB was originally designed by IBM in early 1983 to improve file sharing on networks. But like most early communication protocols, it wasn’t designed with security in mind. (Early developers were optimistic about the future of knowledge sharing — they couldn’t conceive of all the bad actors we see today!)

SMB has gone through several iterations and is now mainly a Microsoft protocol for network file sharing, browsing, printing, and inter-process communication. Engineers have tried to mitigate its security flaws — especially after WannaCry — but SMB clearly still poses a risk.

The proof-of-concept release for SMBGhost amplified that risk. And the situation has been compounded by the rapid growth of networks, global connectivity of multinational businesses, and remote work due to the COVID-19 pandemic.

SMBGhost chained to SMBleed makes “haunting” even scarier

An integer overflow flaw exists in SMBv3.1.1’s srv2!DecompressData, the routine that decompresses compressed request packets. A malicious attacker could send a specially-crafted compressed data packet that enables remote, unauthenticated, arbitrary code execution. To make matters worse, SMBGhost was “wormable” and could be combined with a newer flaw named SMBleed.

Technically, SMBleed was not as potent as SMBGhost (remote kernel memory read versus pre-authenticated remote code execution), but they both exploited srv2!DecompressData and allowed a remote attacker to exploit the SMB.

“Risk Hunting” Can Fill the Gap

One major frustration about the SMBGhost issue was that Microsoft released information without a proper fix. Some users thought Microsoft was saying, in effect: “Here is an issue, you figure it out.”

Fortunately, “Risk Hunting” solutions — like the Epiphany Intelligence Platform — are designed precisely for problems like this.

Epiphany ingests and analyzes data from thousands of sources. The platform uses machine learning to understand vulnerabilities, develop context, and identify business risks. 

Epiphany also maps where successful attacks could go after compromising an asset—and how those transitions could impact mission-critical processes. With that information, Epiphany can prioritize the greatest business risks and guide mitigation efforts. All before an attack occurs. 

For SMBGhost and SMBleed — or any vulnerability like them — Epiphany can work with even the most cryptic or incomplete information. So it can help mitigate risks regardless of whether an official patch is available, or even if a patch never comes.

As soon as a tech company like Microsoft breaks the news about a new vulnerability, a Risk Hunting platform like Epiphany can look for specific conditions that might allow the exploitation. Then it can identify all possible paths that could connect that point of exploitation to your most valuable data.

Your security team can then take targeted, effective action to protect that data.