Yesterday Microsoft and Talos “accidentally” revealed CVE-2020-0796. It appeared and then disappeared, but remnants of the posts were left behind. Microsoft has published an advisory, and it appears the vulnerability is in SMBv3 compression.
Microsoft Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005
Fortinet Post: https://fortiguard.com/encyclopedia/ips/48773
Users are advised to disable SMBv3 & block port 137, 139, 445 inbound/outbound on firewall. Also, make sure you’re logging and monitoring!
Search for the possibly vulnerable servers using the script here:
Bash script using Nmap to detect server systems vulnerable to CVE-2020-0796 aka #CoronaBlue #SmbGhost
— Florian Roth (@cyb3rops) March 11, 2020
– use it to scan the internet range, networks with attack surface (shared zones with providers / suppliers) etc. https://t.co/uVCtf65L8H
This will be one to keep an eye out on as everyone believes this to be a “wormable” vulnerability which is already getting coined terms like “EternalBlue-er”, “CoronaBlue”, and “SMBGhost”, and “EternalDarkness.”
I will post more information as it becomes available.