The Server Message Block Protocol (SMB protocol) which runs over TCP port 445 is a client-server communication protocol used for sharing access to files, printers, network browsing, and inter-process communication over a network.

Security researchers from ZecOps have discovered a new critical vulnerability ‘SMBleed’ affecting the Server Message Block (SMB) protocol that could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed “wormable” RCE vulnerability (SMBGhost), allows attackers to gain RCE control over the SMB server or client.

The flaw exists in SMB’s decompression function, this is the same function(Srv2DecompressData) in the srv2.sys SMB server driver as with ‘SMBGhost’ or sometimes known as ‘EternalDarkness’ vulnerability (CVE-2020-0796), which came to light during Microsoft’s Patch Tuesday, March 2020, potentially opening vulnerable Windows systems to malware attacks which could spread across the network and infect other machines within no time. This flaw was found in the SMBv3.1.1 protocol while handling compressed data packets.

Although Microsoft had released the SMBGhost patch for all affected versions, recently security researchers have unveiled a new critical vulnerability that’s related to SMBGhost, which has been named as ‘SMBleed‘.


SMBleed Vulnerability:

  • SMBleed has been tracked as ‘CVE-2020-1206‘ and received a maximum severity rating score of 10. SMBleed when chained with SMBGhost, an attacker could achieve pre-authentication remote code execution.
  • The flaw prevails from the way the decompression (Srv2DecompressData) function handles specially crafted message requests (such as SMB2 WRITE) that are sent to a targeted SMBv3 server.
  • The message structure contains fields such as the number of bytes to write and flags, followed by a variable-length buffer. That’s perfect for exploiting the bug since we can craft a message such that we specify the header, but the variable-length buffer contains uninitialized data.” according to ZecOps researchers.
  • To exploit this vulnerability on a server, an unauthenticated attacker can send a maliciously crafted packet to a vulnerable SMBv3 server. Whereas if the target is running as a client, then the attacker will have to configure a malicious SMBv3 server and convince a user to connect to it.
  • Successful exploitation of the vulnerability could allow an attacker to read uninitialized kernel memory and make modifications to the compression function.

Achieving Remote Code Execution with SMBleed and SMBGhost:

  • Unauthenticated exploitation of SMBleed, whilst achievable, is “less straightforward.” So, they chained both SMBleed and SMBGhost to gain unauthenticated RCE, forewarns ZecOps researcher.
  • They have not disclosed any technical details about chaining the two vulnerabilities together. However, they did share a PoC as well as a GIF that shows them gaining RCE.

Image Source: ZecOps

All this news has come shortly after the SMBGhost exploit code was released publicly last week in a PoC. Cybersecurity and Infrastructure Security Agency(CISA) advised the users to update their Windows 10 machines without any delay.


Impact

The exploitation of these vulnerabilities could allow remote attackers to access sensitive information or execute arbitrary code on the target systems with unpatched SMBv3 server/client.


Affected Products

  • Windows 10 Version 1903
    • 32/64-bit Systems
    • ARM64-based Systems
    • Server Core installation
  • Windows 10 Version 1909
    • 32/64-bit Systems
    • ARM64-based Systems
    • Server Core installation
  • Windows 10 Version 2004
    • 32/64-bit Systems
    • ARM64-based Systems
    • Server Core installation

Solution

Microsoft has released a security fix for SMBleed at its monthly Patch Tuesday updates for June 2020.

SanerNow detects this vulnerability and automatically fixes it by applying security updates. Download SanerNow and keep your systems updated and secure.


Source:https://www.secpod.com/blog/a-critical-vulnerability-smbleed-impacts-windows-smb-protocol/