Tuesday, November 12, 2024
HomeCVE/vulnerabilitySMBleed - Windows SMB Protocol Bug Let Hackers Leak Kernel Memory &...

SMBleed – Windows SMB Protocol Bug Let Hackers Leak Kernel Memory & Execute a Code Remotely

Published on

Malware protection

Researchers uncovered a critical bug names as “SMBleed” in the Microsoft Server Message Block (SMB) network communication protocol.

This security flaw was named as SMBleed and identified as CVE-2020-1206; this vulnerability could easily enable the attackers to drip all the confidential data from the kernel memory remotely.

Combined this kind of vulnerability with the previous bug that is a wormable, then the flaw can be easily utilized to perform several remote code execution attacks.

- Advertisement - SIEM as a Service

But, apart from this, recently, a dispute has been detected in the SMB’s decompression function, it’s SMBGhost (CVE-2020-0796), that was disclosed three months ago, and this sought of vulnerability can open vulnerable Windows systems to malware attacks that can carry out its operation across networks.

According to the Zeccops report, it is due to the fact that the decompression function “Srv2DecompressData” in the SMB protocol that is capable of processing specially crafted message requests (for example, SMB2 WRITE) sent to SMBv3 destination server. Thus, an attacker can easily read data in the kernel memory and make changes to the compression function.

This vulnerability affects the Windows 10 versions of 1903 and 1909, and Microsoft has also recently published the security patches as well.

They announced just last week that they are forcing the users of Windows 10 so that they can update their devices after exploiting code for SMBGhost bug that was advertised online recently.

Basic Exploitation

Well, this whole vulnerability deals with SMB messages, and these messages primarily include fields like the number of bytes to address and flags, and thus it accompanied by a variable-length buffer. By crafting this, the messages become quite easy, so this is a perfect tool for exposition.

But there are some variable that contains uninitialized data, and therefore, we put different addition to the compression function that is based on our POC on Microsoft’s WindowsProtocolTestSuites repository.

By adding this will not be sufficient, as POC needs different credentials and a writable share, that are easily accessible in many situations. Still, the bug refers to every sought of the message so that it can get utilized remotely for any authentication. 

More importantly, the memory that has leaked is generally related to the earlier allocation in the NonPagedPoolNx pool, as we can manage the allocation size, which implies that the leaked data may come into our control to some extent.

SMBleed

The cybersecurity experts have recommended that both home and business users should install the latest version Windows, as this vulnerability are found in Windows 10 version 1909 and 1903, as we told earlier. 

But there are some situations where the Patch is not applicable, thus at that time, users should simply block the port 445 to stop any parallel movement and remote exploitation on their vulnerable system.

TL;DR

  • Initially, while observing the SMBGhost, the security experts discovered yet another vulnerability that is SMBleed.
  • This vulnerability focuses on revealing the Kernel memory remotely.
  • SMBleed enables the production of pre-auth Remote Code Execution (RCE) if it gets combined with the SMBGhost.
  • There are two main links, POC #1: SMBleed remote kernel memory read, and the POC #2: Pre-Auth RCE Combining SMBleed with SMBGhost.

Affected Windows versions

Here are the Windows versions that are affected by this security flaw with the applicable updates installed:-

Windows 10 Version 2004

UpdateSMBGhostSMBleed
KB4557957Not VulnerableNot Vulnerable
Before KB4557957Not VulnerableVulnerable

Windows 10 Version 1909

UpdateSMBGhostSMBleed
KB4560960Not VulnerableNot Vulnerable
KB4551762Not VulnerableVulnerable
Before KB4551762VulnerableVulnerable

Windows 10 Version 1903

UpdateNull Dereference BugSMBGhostSMBleed
KB4560960FixedNot VulnerableNot Vulnerable
KB4551762FixedNot VulnerableVulnerable
KB4512941FixedVulnerableVulnerable
None of the aboveNot FixedVulnerablePotentially vulnerable

Mitigation

  • Update your Windows to the latest version, as this will fix the issue altogether.
  • Block the port 445 to stop any parallel movement.
  • Isolate the host.
  • Disable the SMB 3.1.1 compression, but you should note that the security experts do not recommend it.

Apart from all these things, if an unauthorized attacker wants to exploit this vulnerability, then the attacker must have to configure a malicious SMBv3 server and convince the user to connect to it.

The security experts have already reported their findings to Microsoft, and the company has already released the patches to fix this vulnerability.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity & hacking updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CISA Warns of Critical Palo Alto Networks Vulnerability Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of a critical vulnerability...

Cisco Desk Phone Series Vulnerability Lets Remote Attacker Access Sensitive Information

A significant vulnerability (CVE-2024-20445) has been discovered in Cisco Desk Phone 9800 Series, IP...

Cisco Flaw Let Attackers Run Command as Root User

A critical vulnerability has been discovered in Cisco Unified Industrial Wireless Software, which affects...