Built off the open source project Osquery
Description:
Discover SMB servers potentially vulnerable to CVE-2020-0796. Indicates vulnerability when shares are present, SMB compression is enabled, and Windows build is 18362 or 18363. To further validate existing SMB servers, see the IT Hygiene query Rogue Share detection.
Reference: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
SQL:
SELECT CASE WHEN EXISTS (
SELECT build, shares, disablecompression, patched
FROM
(SELECT build FROM os_version),
(SELECT count(name) as shares
FROM shared_resources
WHERE NOT lower(name) = "admin$"
AND NOT lower(name) = "ipc$"
AND NOT lower(name) = "c$"),
(SELECT CASE WHEN EXISTS
(SELECT data FROM registry
WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableCompression' AND data=1)
THEN 'TRUE' ELSE 'FALSE' END AS disablecompression),
(SELECT CASE WHEN EXISTS
(SELECT hotfix_id from patches where hotfix_id = "KB4551762")
THEN 'TRUE' ELSE 'FALSE' END AS patched)
WHERE ( build = 18362 OR build = 18363 )
AND shares > 0
AND disablecompression = 'FALSE'
AND patched = 'FALSE'
)
THEN 'Vulnerable' ELSE 'Not Vulnerable' END 'SMBv3 CVE-2020-0796';
Results:
Flags SMB servers as vulnerable when shares are present, compression is enabled, and Windows build is 18362 or 18363. Possible future false-positives after patches are available and applied.
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.