CVE-2020-0796 Overview
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. This vulnerability, commonly referred to as "SMBGhost" or "CoronaBlue," allows attackers to execute arbitrary code on vulnerable Windows systems without authentication. The flaw resides in the SMBv3 compression feature and can be exploited both remotely against SMB servers and locally for privilege escalation.
Critical Impact
This wormable vulnerability enables unauthenticated remote code execution with SYSTEM privileges, potentially allowing attackers to spread malware across networks without user interaction. CISA has confirmed active exploitation in the wild.
Affected Products
- Microsoft Windows 10 version 1903 (x86, x64, ARM64)
- Microsoft Windows 10 version 1909 (x86, x64, ARM64)
- Microsoft Windows Server version 1903 (x64)
- Microsoft Windows Server version 1909 (x64)
Discovery Timeline
- 2020-03-12 - CVE-2020-0796 published to NVD
- 2025-10-29 - Last updated in NVD database
Technical Details for CVE-2020-0796
Vulnerability Analysis
CVE-2020-0796 is a buffer overflow vulnerability in the SMBv3 compression handling code within the Windows kernel. The vulnerability occurs when processing specially crafted compressed data packets, where the kernel driver srv2.sys fails to properly validate the size of compressed data before copying it into a buffer. This improper bounds checking allows an attacker to corrupt memory structures, ultimately leading to arbitrary code execution with SYSTEM-level privileges.
The vulnerability is particularly dangerous because it requires no authentication and can be triggered over the network against any system with SMBv3 enabled. Additionally, the same flaw can be exploited locally to escalate privileges from a low-privileged user to SYSTEM. The wormable nature of this vulnerability means that malware could propagate across vulnerable systems automatically, similar to the devastating EternalBlue exploit used in the WannaCry ransomware attacks.
Root Cause
The root cause of CVE-2020-0796 lies in CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). Specifically, the srv2.sys driver introduced compression support in SMBv3.1.1 but contained a flaw in how it calculated the size of decompressed data. When processing a SMB2_COMPRESSION_TRANSFORM_HEADER, the driver performs arithmetic operations on the OriginalCompressedSegmentSize and Offset fields without adequate integer overflow checks. An attacker can craft malicious values that cause an integer overflow during buffer allocation calculations, resulting in a smaller-than-expected buffer being allocated. When the decompressed data is written to this undersized buffer, a heap buffer overflow occurs.
Attack Vector
The attack vector for CVE-2020-0796 is network-based and requires no user interaction or authentication. An attacker can exploit this vulnerability by sending specially crafted SMBv3 packets to port 445 on a vulnerable target. The attack can target:
SMB Servers: Any Windows 10 version 1903/1909 or Windows Server version 1903/1909 system accepting SMB connections can be compromised remotely.
SMB Clients: An attacker can also compromise client systems by hosting a malicious SMB server and enticing victims to connect to it.
Local Privilege Escalation: The vulnerability can be leveraged locally to escalate from a standard user to SYSTEM privileges.
The vulnerability is triggered through the SMB2 compression transform header. An attacker crafts packets with manipulated OriginalCompressedSegmentSize and Offset values designed to cause an integer overflow. When the kernel driver processes these values, it allocates an insufficient buffer, and subsequent memory operations corrupt adjacent heap structures, enabling arbitrary code execution.
Detection Methods for CVE-2020-0796
Indicators of Compromise
- Unexpected SMB traffic on port 445 with compression headers containing anomalous size values
- System crashes or blue screens (BSOD) related to srv2.sys driver failures
- Unusual memory corruption patterns in Windows kernel dumps
- Process creation with SYSTEM privileges from unexpected parent processes
Detection Strategies
- Deploy network intrusion detection signatures that identify malformed SMBv3 compression headers
- Monitor SMB traffic for connections with unusually large or negative offset values in compression transforms
- Implement endpoint detection rules that flag exploitation attempts against srv2.sys
- Enable Windows Event logging for SMB server events and monitor for connection anomalies
- Utilize memory protection technologies that can detect heap overflow attempts
Monitoring Recommendations
- Continuously monitor port 445 traffic at network boundaries and internal segments
- Implement network segmentation to limit lateral movement potential via SMB
- Deploy SentinelOne agents to detect and prevent kernel-level exploitation attempts
- Review firewall logs for external SMB connection attempts to identify reconnaissance activity
How to Mitigate CVE-2020-0796
Immediate Actions Required
- Apply Microsoft's security patch KB4551762 immediately to all affected systems
- Block TCP port 445 at the network perimeter to prevent external exploitation
- Disable SMBv3 compression as a temporary workaround if patching is not immediately possible
- Audit your environment for Windows 10 and Windows Server versions 1903 and 1909
Patch Information
Microsoft released security update KB4551762 on March 12, 2020, which addresses this vulnerability. The patch corrects the buffer size calculation in the SMBv3 compression handling code. Organizations should apply this patch through Windows Update, WSUS, or manual installation from the Microsoft Security Advisory.
Given that this vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog with confirmed active exploitation, patching should be treated as an emergency priority.
Workarounds
- Disable SMBv3 compression using PowerShell to mitigate server-side attacks (does not protect SMB clients)
- Block inbound and outbound SMB traffic on port 445 at network firewalls
- Implement network segmentation to restrict SMB communication to essential systems only
- Consider disabling SMBv3 entirely if compression cannot be disabled and patching is delayed
# Disable SMBv3 compression (temporary workaround)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "DisableCompression" -Type DWORD -Value 1 -Force
# Verify the setting was applied
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "DisableCompression"
# Note: This workaround only protects SMB servers, not clients
# A system restart is NOT required for this change to take effect
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
