More than 100,000 Windows systems have not yet been updated to protect against a previously-patched, critical and wormable flaw in Windows called SMBGhost.
Microsoft patched the remote code-execution (RCE) flaw bug tracked as CVE-2020-0796 back in March; it affects Windows 10 and Windows Server 2019, and ranks 10 out of 10 on the CVSS scale. It exists in version 3.1.1 of the Microsoft Server Message Block (SMB) protocol, the same protocol that was targeted by the infamous WannaCry ransomware in 2017.
“I’m unsure what method Shodan uses to determine whether a certain machine is vulnerable to SMBGhost, but if its detection mechanism is accurate, it would appear that there are still over 103,000 affected machines accessible from the internet,” Jan Kopriva, one of the researchers at the SANS Internet Storm Center, said in a post on Wednesday.
According to Kopriva, many of these vulnerable systems (22 percent) are in Taiwan, Japan (20 percent), Russia (11 percent) and the U.S. (9 percent).
Microsoft released its fix, KB4551762, as an update for Windows 10 (versions 1903 and 1909) and Windows Server 2019 (versions 1903 and 1909).
In lieu of a patch, Microsoft in March had noted that administrators can use PowerShell to disable SMBv3 compression, which will block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. To protect clients from outside attacks, it’s necessary to block TCP port 445 at the enterprise perimeter firewall. Kopriva for his part also tracked a percentage of all IPs with an open port 445 via Shodan, and found that overall approximately 8 percent of all IPs have port 445 open.
The chart below shows the number of vulnerable systems that are open to SMBGhost. Kopriva noted in a message to Threatpost that the “dips” in the data are presumably caused by Shodan re-scanning a large number of IP ranges.
The pressure is on for system administrators to patch their systems against SMBGhost, with various proof of concepts (PoCs) for the flaw being released over the past few months. While many attempts to exploit SMBGhost resulted only in denial of service or local privilege escalation, a PoC released in June by someone who goes by “Chompie,” who announced his exploit to achieve RCE on Twitter.
“Since release of this PoC was again met with wide attention from the media, one might reasonably expect that by now, most of the vulnerable machines would have been patched – especially those accessible from the internet,” according to Kopriva.
These PoCs have also spurred the Department of Homeland Security to urge companies to update in June, saying that cybercriminals are targeting the unpatched systems: The agency “strongly recommends using a firewall to block server message block ports from the internet and to apply patches to critical- and high-severity vulnerabilities as soon as possible.”