A critical vulnerability has recently been identified within the Server Message Block (SMB) protocol, exposing systems to the risk of remote kernel memory leakage. Researchers from cybersecurity firm ZecOps have labeled this vulnerability “SMBleed” (CVE-2020-1206). The flaw is particularly concerning, as it can be coupled with a previously reported “wormable” vulnerability, further elevating the potential for remote code execution attacks.
This flaw specifically targets the decompression function of the SMB protocol, akin to the previously unveiled SMBGhost (CVE-2020-0796), a vulnerability discovered three months prior. It potentially leaves Windows systems susceptible to malware that could spread through networks. The SMBleed vulnerability primarily affects Windows 10 versions 1903 and 1909. In response to this discovery, Microsoft has rolled out security patches as part of their monthly Patch Tuesday update.
This development comes on the heels of a warning issued last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), urging Windows 10 users to perform necessary updates to mitigate the risk posed by the SMBGhost bug, especially as exploit code for this vulnerability was publicly released.
The vulnerability has been rated with the maximum severity score of 10, underscoring the urgency for business owners to address this risk. ZecOps has highlighted how the flaw manifests within the Srv2DecompressData function, which processes crafted message requests sent to an SMBv3 server, allowing attackers to access uninitialized kernel memory and modify the compression function.
Furthermore, the ability to exploit this vulnerability can lead to significant system compromises. Microsoft warns that an unauthenticated attacker could send specifically crafted packets to target an SMBv3 server or could entice a user to connect to a malicious SMBv3 server to exploit the vulnerability on a client.
The combined threats posed by both SMBleed and SMBGhost could enable remote code execution on unpatched Windows 10 systems, heightening the urgency for immediate action. ZecOps has released a proof-of-concept (PoC) exploit code that illustrates the vulnerabilities at play for those who have yet to install the necessary updates.
For effective mitigation, both residential and business users are advised to promptly install the latest Windows updates. In scenarios where the patch is not applicable, it is worthwhile to block TCP port 445 to hinder unauthorized lateral network movement and potential remote exploitation.
Detailed security guidance from Microsoft regarding these vulnerabilities is available, specifically aimed at addressing SMBleed and SMBGhost in relevant Windows 10 versions and Server Core. Business owners should consult this guidance to ensure their systems are secured against these emerging threats, which exploit basic networking functionalities foundational to file sharing and inter-process communication.
As businesses remain increasingly interconnected, timely response to identified vulnerabilities is paramount. Proactive measures, including regular updates and network security practices, can significantly mitigate the risks associated with such vulnerabilities.