cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows SMBv3 Client/Server Remote Code Execution Vulnerability (CVE-2020-0796)

Description:
Discover SMB servers potentially vulnerable to CVE-2020-0796. Indicates vulnerability when shares are present, SMB compression is enabled, and Windows build is 18362 or 18363. To further validate existing SMB servers, see the IT Hygiene query Rogue Share detection.

Reference: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796

SQL: 

    SELECT CASE WHEN EXISTS (
  SELECT build, shares, disablecompression, patched
  FROM
    (SELECT build FROM os_version),
    (SELECT count(name) as shares
      FROM shared_resources
        WHERE NOT lower(name) = "admin$"
        AND NOT lower(name) = "ipc$"
        AND NOT lower(name) = "c$"),
    (SELECT CASE WHEN EXISTS
      (SELECT data FROM registry
        WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableCompression' AND data=1)
        THEN 'TRUE' ELSE 'FALSE' END AS disablecompression),
    (SELECT CASE WHEN EXISTS
      (SELECT hotfix_id from patches where hotfix_id = "KB4551762")
        THEN 'TRUE' ELSE 'FALSE' END AS patched)
  WHERE ( build = 18362 OR build = 18363 )
  AND shares > 0
  AND disablecompression = 'FALSE'
  AND patched = 'FALSE'
)
THEN 'Vulnerable' ELSE 'Not Vulnerable' END 'SMBv3 CVE-2020-0796';

 

Results:
Flags SMB servers as vulnerable when shares are present, compression is enabled, and Windows build is 18362 or 18363. Possible future false-positives after patches are available and applied.

1 Comment
Carbon Black Employee
Status changed to: Approved

Thanks @gallen