The Server Message Block Protocol (SMB protocol), which runs over TCP port 445, is a client-server communication protocol for sharing access to files, printers, network browsing, and inter-process communication.
Security researchers from ZecOps have discovered a new critical vulnerability ‘SMBleed’ affecting the Server Message Block (SMB) protocol that could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed “wormable” RCE vulnerability (SMBGhost), allows attackers to gain RCE control over the SMB server or client. A Vulnerability Management Software can stop these attacks.
The flaw exists in SMB’s decompression function; this is the same function(Srv2DecompressData) in the srv2.sys SMB server driver as with ‘SMBGhost’ or sometimes known as ‘EternalDarkness’ vulnerability (CVE-2020-0796), which came to light during Microsoft’s Patch Tuesday, March 2020, potentially opening vulnerable Windows systems to malware attacks that could spread across the network and infect other machines within no time. This flaw was in the SMBv3.1.1 protocol while handling compression data packets. A good vulnerability management tool can help to combat these vulnerabilities.
Although Microsoft had released the SMBGhost patch for all affected versions, recently security researchers have unveiled a new critical vulnerability that’s related to SMBGhost, which has been named ‘SMBleed.’
SMBleed Vulnerability:
- SMBleed has been tracked as ‘CVE-2020-1206‘ and received a maximum severity rating score of 10. SMBleed when chained with SMBGhost, an attacker could achieve pre-authentication remote code execution.
- The flaw prevails from the way the decompression (Srv2DecompressData) function handles specially crafted message requests (such as SMB2 WRITE) that are sent to a targeted SMBv3 server.
- The message structure contains fields such as the number of bytes to write and flags, followed by a variable-length buffer. That’s perfect for exploiting the bug since we can craft a message such that we specify the header, but the variable-length buffer contains uninitialized data.” according to ZecOps researchers.
- To exploit this vulnerability on a server, an unauthenticated attacker can send a maliciously crafted packet to a vulnerable SMBv3 server. Whereas if the target is running as a client, then the attacker will have to configure a malicious SMBv3 server and convince a user to connect to it.
- Successful exploitation of the vulnerability could allow an attacker to read uninitialized kernel memory and make modifications to the compression function.
Achieving Remote Code Execution with SMBleed and SMBGhost:
- Unauthenticated exploitation of SMBleed, whilst achievable, is “less straightforward.” So, they chained both SMBleed and SMBGhost to gain unauthenticated RCE, forewarns ZecOps researcher.
- They have not disclosed any technical details about chaining the two vulnerabilities together. However, they did share a PoC as well as a GIF that shows them gaining RCE.
All this news has come shortly after the SMBGhost exploit code was present publicly last week in a PoC. Cybersecurity and Infrastructure Security Agency(CISA) advised the users to update their Windows 10 machines without any delay.
Impact
The exploitation of these vulnerabilities could allow remote attackers to access sensitive information or execute arbitrary code on the target systems with unpatched SMBv3 server/client.
Affected Products
- Windows 10 Version 1903
- 32/64-bit Systems
- ARM64-based Systems
- Server Core installation
- Windows 10 Version 1909
- 32/64-bit Systems
- ARM64-based Systems
- Server Core installation
- Windows 10 Version 2004
- 32/64-bit Systems
- ARM64-based Systems
- Server Core installation
Solution
Microsoft has released a security fix for SMBleed at its monthly Patch Tuesday updates for June 2020.
SanerNow detects this vulnerability and automatically fixes it by applying security updates. Download SanerNow and keep your systems updated and secure.