Description: Discover SMB servers potentially vulnerable to CVE-2020-0796. Indicates vulnerability when shares are present, SMB compression is enabled, and Windows build is 18362 or 18363. To further validate existing SMB servers, see the IT Hygiene query Rogue Share detection.
SELECT CASE WHEN EXISTS ( SELECT build, shares, disablecompression, patched FROM (SELECT build FROM os_version), (SELECT count(name) as shares FROM shared_resources WHERE NOT lower(name) = "admin$" AND NOT lower(name) = "ipc$" AND NOT lower(name) = "c$"), (SELECT CASE WHEN EXISTS (SELECT data FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableCompression'
AND data=1) THEN 'TRUE' ELSE 'FALSE' END AS disablecompression), (SELECT CASE WHEN EXISTS (SELECT hotfix_id from patches where hotfix_id = "KB4551762") THEN 'TRUE' ELSE 'FALSE' END AS patched) WHERE
( build = 18362 OR build = 18363 ) AND shares > 0 AND disablecompression = 'FALSE' AND patched = 'FALSE' ) THEN 'Vulnerable' ELSE 'Not Vulnerable' END 'SMBv3 CVE-2020-0796';
Results: Flags SMB servers as vulnerable when shares are present, compression is enabled, and Windows build is 18362 or 18363. Possible future false-positives after patches are available and applied.