Telecommuting has gained a huge popularity, by force, in recent months. Millions of users have had to leave their jobs to start working from home. And, as it was not going to be less, hackers were going to find a way to take advantage of this. And that’s how the SMBGhost vulnerability appeared, one of the most serious flaws discovered for Windows 10 that, until today, had not even been admitted by Microsoft.
SMBGhost is a vulnerability present in Microsoft’s Server Message Block 3.1.1 . This flaw allows a data packet, specially created to exploit the vulnerability, to run on the central SMB server and execute random code on the system.
This vulnerability was registered as CVE-2020-0796 on March 10, and received a dangerousness score of 10 points out of 10. This failure was revealed by Microsoft by mistake when the March security patches were released, and such was the repercussion that the company had to launch an experimental patch to protect users.
Time passed, and of course hackers began looking for ways to exploit this vulnerability. And finally, a few days ago, the first public exploits to exploit SMBGhost began to appear.
Is my computer vulnerable?
In order to exploit SMBGhost, the computer must be running either a version of Windows 10 or Windows Server Core. The other operating systems appear not to be vulnerable, so there should be no problem.
Additionally, Microsoft has already released the Urgent Security Patch to protect vulnerable users, so if any of the above operating systems have the latest security patches installed you shouldn’t have to worry.
If we don’t have this security patch installed, then we are vulnerable. And hackers are looking for the opportunity to become “victims”.
How to protect Windows from SMBGhost
The best way to protect ourselves from this serious vulnerability is to manually download the security patches , available for Windows 10 1903 and 1909 (2004 is already protected as standard), and install them on our computer. Once installed, we will reboot the PC and voila, SMBGhost should no longer worry us.
In addition, there are other ways to protect our computer from this serious vulnerability. The first of these is to disable SMBv3 compression manually by running the following command in a PowerShell window with administrator permissions:
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters" DisableCompression -Type DWORD -Value 1 -ForceOr if we prefer, we can edit the registry manually (which is the same for the purposes). What we need to do is go to the HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Services> LanmanServer> Parameters directory and create a new 32-bit DWORD value, called “DisableCompression” with the value “1”.
Finally, we can also block the ports used by SMB facing the Internet in the Windows firewall . The default port that we must block is 445, although if we have changed it we will have to modify it ourselves. If we choose this option, our PC will be blocked from possible attacks from the Internet and SMB will continue to work on LAN. Although that will not protect us from possible attacks from within the network itself.