“A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.” reads the advisory published by Microsoft.
“To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.”
The exploitation of the SMBGhost flaw exposes systems to a ‘wormable’ attack, which means it would be easy to move from victim to victim.”
The wormable Remote Code Execution (RCE) flaw could allow malware to spread malware across machines without any need for user interaction.
Although Microsoft addressed the issue in March, over 100,000 machines remain vulnerable to attacks exploiting the SMBGhost flaw.
The researcher Jan Kopriva published a post on the SANS ISC Infosec Forums and revealed that over 103 000 machines online are yet to be patched.
“I’m unsure what method Shodan uses to determine whether a certain machine is vulnerable to SMBGhost, but if its detection mechanism is accurate, it would appear that there are still over 103 000 affected machines accessible from the internet. This would mean that a vulnerable machine hides behind approximately 8% of all IPs, which have port 445 open.” reads the post.
Most of the vulnerable machines are located in Taiwan (22%), followed by Japan (20%) and Russia (11%).
“In any case, if the numbers provided by Shodan are accurate, they are concerning to say the least, especially since SMBGhost – as an RCE – is “wormable”. If for whatever reason you still haven’t patched any of your systems, now would seem to be a good time to do so.” concludes the post.
(SecurityAffairs – hacking, SMBGhost)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.