SMBGhost is caused by a kind of bug in SMBv3 decompression processes in Windows Server 1903 and 1909, and Windows 10. When bounds to check the handling of requests by SMBv3 protocol are not sufficient, certain SMB packets cause an overflow of buffer, and ultimately the Windows kernel crash, leading to Blue Screen of Death.
Hackers may also exploit this kind of vulnerability to get unauthorised remote code execution and make it prone to virus. However, it is difficult to exploit such vulnerability, since a number of security features are implemented in the Windows kernel. When an in-depth SMBGhost scanner does its job, the vulnerability is shown in the SmbCompress Decompress function, that serves as a wrapper on RtlDecompressBufferEx2. This is an important function for SMBv3 client as well as server implementation, adding vulnerability to both of them.
How the Scanner Works?
The job of a scanner is to find out if the server supports SMBv3.1.1 and if it is compression enabled or not. While it may not be able to detect reliably due to same settings in the patched systems, it may successfully detect non-vulnerable Windows hosts. To detect such settings, the scanner initiates SMB negotiation with the help of target server. In case the SMB response has the proposed settings, the scanner may declare that there is potential vulnerability to SMBGhost.
In order to verify if your system is vulnerable or patched, you must check if your Windows system is updated with the KB4551762 installation. You may also run a manual exploit against the system causing kernel crash.
The SMBGhost scanner offered by Security for Everyone is a high-end tool that can quickly detect vulnerability in your system and detect if your Windows are susceptible to get BSOD due to buffer overflow. Depending on the results received, you can make the required changes and updates in your system and avoid any unlikely situation.