The flaw affects Windows 10 builds 1903 and 1909, but older and newer versions of Windows 10 are not vulnerable; if the SMBGhost exploit is indeed successful, as was the 2017 ransomware worm WannaCry, an unlimited number of "worms" would be created that would spread across the Internet on their own.
"Recent open source reports indicate that malicious cyber actors are targeting systems that have not been patched with the new PoC [proof of concept]," warns a CISA advisory released on June 5.
"CISA strongly recommends that firewalls be used to block SMB ports from the Internet and that patches for critical, high severity vulnerabilities be applied as soon as possible.
This is not the first proof of concept exploiting the SMBGhost flaw, nor does it work that well yet. However, it does allow fairly consistent remote code execution, i.e., hacking via the Internet, and is one step closer to a global worm.
"This has not been tested outside of my lab environment. It was written quickly and needs some work to make it more reliable," the proof-of-concept developer, who calls himself Chompie, wrote in a GitHub post. 'Using this for anything other than self-education is an extremely bad idea. Your computer will go up in flames. Puppies will die."
Chompie provided a demonstration video of Mac using this exploit to hack a PC.
Will Dorman, a vulnerability analyst at Carnegie Mellon University's Defense Department-funded CERT Coordination Center in Pittsburgh, said Chompie's exploit code "is not completely reliable, but ...... It certainly works!" He stated.
The fact that SMBGhost's network jumping exploit is working even in part, and that the bad guys may be using it according to CISA, means that Windows 10 1903 or 1909 without the March patch installed builds are vulnerable to attacks from the Internet.
The solution, of course, is to install the standalone patch that Microsoft announced on March 12. You can also upgrade to Windows 10 build 2004, which is currently being distributed for PCs. And, if you can, set your firewall to block port 445 from the outside. (19]
In theory, a Microsoft security patch should be installed as soon as it is issued. But that in itself often causes problems, especially for companies that are patching dozens or hundreds of PCs at a time.
Comments