SMBGHOST - CVE-2020-0796 CVE-2019-19781 CVE-2020-0796 is a buffer overflow vulnerability that exists due to an error in the way the vulnerable Microsoft Server Message Block (SMB) protocol handles a maliciously crafted compressed data packet. It could be exploited by a remote, unauthenticated attacker to execute arbitrary code and gain control over vulnerable systems. In addition, researchers noted the vulnerability could be exploited in a “wormable” attack, in which an attacker could easily and quickly move from one victim on the network to another. Of note, the vulnerability only affects SMBv3, which is the latest version of the SMB protocol that exists only in recent versions of the Windows operation system. Thus, only Windows 10 and Windows Server 2019 versions of the OS are vulnerable, and specifically the following builds of both OS versions: 1903 and 1909. In June 2020, CISA warned that threat actors are targeting unpatched systems with a new PoC. 19 If we compare CVE-2020-0796/SMBGhost (received 52 posts in the past year) to CVE- 2020-1472/Zerologon (received 38 posts in the past year) that is mentioned above, it is interesting to see that there are probably less news reports about incidents involving the exploitation of SMBGhost. CVE-2019-19781 affects the Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC. Successful exploitation of the vulnerability could allow an unauthenticated attacker to connect remotely and execute arbitrary code on the affected computer. Since the vulnerability has been disclosed, it was successfully exploited by: 1. Ransomware gangs, such as REvil, Ragnarok, DoppelPaymer, Maze, and Nephilim in a significant number of incidents. 20 2. Nation-state groups, such as the Russian APT29 group and the Chinese APT 41 group, who used exploits abusing this flaw for initial access to targeted organizations in multiple industries, such as financial, government, defense and healthcare, in global campaigns. 21 https://us-cert.cisa.gov/ncas/current-activity/2020/06/05/unpatched-microsoft-systems-vulnerable-cve-2020-0796; https://www. scmagazine.com/home/security-news/vulnerabilities/cisa-warns-attackers-are-using-exploit-code-for-smbghost-bug/; https:// techxplore.com/news/2020-06-homeland-windows-worm.html https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/; https:// www.bleepingcomputer.com/news/security/doppelpaymer-hacked-bretagne-t-l-com-using-the-citrix-adc-flaw/; https://www. infosecurity-magazine.com/news/it-services-firm-conduent-felled/; https://www.bankinfosecurity.com/nephilim-ransomware-gangtied- to-citrix-gateway-hacks-a-14480; https://www.zdnet.com/article/ransomware-gang-demands-7-5-million-from-argentinian-isp https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html; https://attack.mitre.org/groups/G0096/; https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1. pdf; https://attack.mitre.org/groups/G0016/ 19. 20. 21. 8 Vulnerability Threat Intelligence Report