Security News > 2020 > November > Researcher Warns 100,000 Devices Still Vulnerable to SMBGhost Attacks
According to Jan Kopriva, a team leader of ALEFs Computer Security Incident Response Team and SANS ISC contributor, despite the attention the vulnerability received when first disclosed and the public availability of PoCs for exploiting it, Shodan searches show upwards of 100,000 systems still vulnerable.
Shodan, he explains, can be used to discover systems that are affected by a specific vulnerability, although the exact manner in which the search engine determines whether a machine is vulnerable to SMBGhost attacks is unclear.
"But if its detection mechanism is accurate, it would appear that there are still over 103 000 affected machines accessible from the internet. This would mean that a vulnerable machine hides behind approximately 8% of all IPs, which have port 445 open," the researcher says.
"It is hard to say why are so many unpatched machines are still out there. Microsoft did release the patch for CVE-2020-0796 out-of-band instead as a part of its usual patch Tuesday pack of fixes, but that was the only unusual thing about it and doesn't make much sense that this would be the reason why it still isn't applied on so many systems," the researcher notes.
Kopriva also points out that, provided that Shodan is an accurate tool, the large number of vulnerable machines out there is concerning, given that SMBGhost is "Wormable" and allows for code execution.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-03-12 | CVE-2020-0796 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Windows 10 and Windows Server 2016 A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'. | 7.5 |