What's new

SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol

WELCOME TO THEWINDOWSFORUM COMMUNITY!

Our community has more than 50.000 registered members, and we'd love to have you as a member. Join us and take part in our unbiased discussions among people of all different backgrounds about Windows OS, Software, Hardware and more.

ThumperTM

La Patróna
Owner
Aug 18, 2010
12,376
8,883
OS
Windows 10
BR
Chrome 83.0.4103.97
SMBleed.jpg
Cybersecurity researchers today uncovered a new critical vulnerability affecting the Server Message Block (SMB) protocol that could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed "wormable" bug, the flaw can be exploited to achieve remote code execution attacks.

Dubbed "SMBleed" (CVE-2020-1206) by cybersecurity firm ZecOps, the flaw resides in SMB's decompression function — the same function as with SMBGhost or EternalDarkness bug (CVE-2020-0796), which came to light three months ago, potentially opening vulnerable Windows systems to malware attacks that can propagate across networks.

The newly discovered vulnerability impacts Windows 10 versions 1903 and 1909, for which Microsoft today released security patches as part of its monthly Patch Tuesday updates for June.

The development comes as the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory last week warning Windows 10 users to update their machines after exploit code for SMBGhost bug was published online last week.

SMBGhost was deemed so serious that it received a maximum severity rating score of 10.

SMBleed vulnerability
"Although Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber actors are targeting unpatched systems with the new PoC, according to recent open-source reports," CISA said.

SMB, which runs over TCP port 445, is a network protocol that provides the basis for file sharing, network browsing, printing services, and interprocess communication over a network.

According to ZecOps researchers, the flaw stems from the way the decompression function in question ("Srv2DecompressData") handles specially crafted message requests (e.g., SMB2 WRITE) sent to a targeted SMBv3 Server, allowing an attacker to read uninitialized kernel memory and make modifications to the compression function.

"The message structure contains fields such as the amount of bytes to write and flags, followed by a variable-length buffer," the researchers said. "That's perfect for exploiting the bug since we can craft a message such that we specify the header, but the variable-length buffer contains uninitialized data."

"An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server," Microsoft said in its advisory.

"To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it," Microsoft added.

smbleed
Worse, SMBleed can be chained with SMBGhost on unpatched Windows 10 systems to achieve remote code execution. The firm has also released a proof-of-concept exploit code demonstrating the flaws.

windows security
To mitigate the vulnerability, it's recommended that home and business users install the latest Windows updates as soon as possible.

For systems where the patch is not applicable, it's advised to block port 445 to prevent lateral movement and remote exploitation.

Microsoft's security guidance addressing SMBleed and SMBGhost in Windows 10 version 1909 and 1903 and Server Core for the same versions can be found here and here.


Source: thehackernews
 

DVDR_Dog

Well-Known Member
Ultimate Donator
Donator
VIP
Nov 5, 2018
869
479
OS
Windows 10
BR
Chrome 83.0.4103.97
Wow Thanks! That is one nasty exploit.
Monday morning I am blocking TCP port 445 on all the switches on the 3 networks there. There is just so much control you have what people are bringing in and putting on the network. It might just be a good idea anyway to block the port anyway. That way you will be passed by during a port scan. Funny you used to get in big trouble port scanning for open PUB FTPs in the day. These days they don't seem to care much anymore.
Darn downtime has me slacking lately. At least someone is awake here.
 
Top