The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

CVE-2020-0796 | Windows SMBv3 RCE

Description: Query checks for CVE-2020-0796 Windows SMBv3 Client/Server Remote Code Execution Vulnerability.

What The Data Shows: Data will show whether windows host have patched or not. More details can be found at https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0796

SQL: 

 
WITH kb AS 
(SELECT COUNT(*) AS cnt,
        1 AS one
 FROM patches
 WHERE hotfix_id = "KB4551762"),

osver AS
(SELECT COUNT(*)*2 AS cnt,
        1 AS one
 FROM os_version
 WHERE build = 18363
     OR build = 18362)

SELECT
     CASE (kb.cnt+osver.cnt)
         WHEN 2 THEN "CRITICAL_PATCH_MISSING"
         WHEN 3 THEN "SYSTEM_IS_PATCHED"
         ELSE "PATCH_NOT_APPLICABLE"
     END "CVE-2020-0796:SMBv3 RCE"
FROM kb
JOIN osver USING (one);
 

Fix: hotfix_id = "KB4551762"

 

1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved

@s-shimizu awesome query! I reformatted it so it is easier to read.