Cybersecurity researchers from ZecOps discovered a new vulnerability dubbed SMBleed affecting Server Message Block (SMB) protocol.
The vulnerability (CVE-2020-1206) could allow attackers to leak kernel memory remotely or to achieve pre-auth remote code execution chained with SMBGhost vulnerability.
SMBGhost(CVE-2020-0796) is a remote code execution vulnerability that affects Windows 10 and Windows Server 2019. The vulnerability resides with version 3.1.1 of the Microsoft Server Message Block (SMB) protocol.
Microsoft released security updates to patch SMBGhost, applicable for Windows 10 (versions 1903 and 1909) and Windows Server (1903 and 1909 – Server Core installation).
The SMBleed vulnerability resides with “Srv2DecompressData function in the srv2.sys SMB server driver,” the flaw resides in the way Srv2DecompressData handles the crafted message sent to the targeted SMBv3 Server.
Successful exploitation of the SMBleed vulnerability allows attackers to leak kernel memory remotely, combining with SMBGhost, SMBleed allows attackers to achieve pre-auth Remote Code Execution (RCE).
Here is the PoC published by researchers
The bug affects Windows 10 versions 1903, 1909, and 2004, the bug would allow remote attackers to gain unauthorized access to sensitive information on the system.
According to Microsoft’s advisory, an attacker who exploits the vulnerability could obtain the required information to compromise the system.
“To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.” reads the blog post.
Now Microsoft fixed the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.SMBleed bug chained up with SMBGhost lets attackers achieve RCE (Remote Code Execution).
Users are recommended to update with the latest versions as the vulnerability is wormable, SMB vulnerability previously used by WannaCry ransomware.