The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

SMBleed CVE-2020-1206 Vulnerability

Description: Lists endpoints that are either vulnerable or not vulnerable to the SMBleed vulnerability, CVE-2020-1206. This vulnerability allows attackers to remotely leak kernel memory, and when combined with SMBGhost, can be used for remote code execution: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1206

What The Data Shows: The data shows endpoints that are vulnerable to SMBleed. Vulnerable endpoints include Windows 10 endpoints, on version 1903, 1909, or 2004, that have not installed KB4560960 for version 1903 and 1909, or have not installed KB4557959 for version 2004. Further explanation here: https://thehackernews.com/2020/06/SMBleed-smb-vulnerability.html

SQL: 

SELECT name, build, CASE
	WHEN EXISTS
		(SELECT patches.hotfix_id, os_version.name, os_version.build FROM patches, os_version WHERE 
			(patches.hotfix_id LIKE "KB4560960" OR patches.hotfix_id LIKE "KB4557957") OR 
			os_version.name NOT LIKE "%Windows 10%" OR 
			(os_version.build NOT LIKE "19041" AND os_version.build NOT LIKE "18363" AND os_version.build NOT LIKE "18362")
		) THEN "Not Vulnerable" ELSE "Vulnerable"
	END "CVE-2020-1206"
FROM os_version;

 

 

1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved

@JRoosa Sorry I missed this one! Thanks for the contribution.