SMBleed: This new critical vulnerability affects all Windows 10 versions including the Mega May 2020 Windows 10 2004 version
We had already written about the critical vulnerability affecting Windows 10 PCs/laptops called SMBGhost. The SMBGhost bug was accidentally revealed by Microsoft during the Tuesday Patch update in March and eventually, security researchers and hackers managed to create the exploit for SMBGhost(download exploit only if you have the proper knowledge.) However, the vulnerability was patched by Microsoft in the Windows 10 May 2020 v2004 update and we thought that would be the end of it.
Now security researchers from Zecops have discovered supercritical vulnerability called SMBBleed that affects even the Windows 10 2004 version. Zecops found this vulnerability which like SMBGhost exploits the Server Message Block (SMB) protocol and allows potential hackers to leak kernel memory remotely, and when chained with “wormable” bug aka SMBGhost exploit, the flaw can be exploited to achieve remote code execution attacks.
The Zecops discovered SMBleed has been issued a CVE-2020-1206 identifier and resides in SMB’s decompression function like the SMBGhost or EternalDarkness bug (CVE-2020-0796). Here is a short description of what SMBBleed vulnerability is
- While looking at the vulnerable function of SMBGhost, Zecops discovered another vulnerability: SMBleed (CVE-2020-1206).
- SMBleed allows to leak kernel memory remotely.
- Combined with SMBGhost, which was patched three months ago, SMBleed allows to achieve pre-auth Remote Code Execution (RCE).
- POC #1: SMBleed remote kernel memory read: POC #1 Link
- POC #2: Pre-Auth RCE Combining SMBleed with SMBGhost: POC #2 Link
- Here is a demo fo the PoC
Zecops says that chaining the SMBBleed with SMBGhost exploit already available online could allow any potential hacker to gain full control of any Windows 10 PC even the latest Windows 10 v2004 remotely. According to ZecOps researchers, the flaw stems from the way the decompression function in question (“Srv2DecompressData“) handles specially crafted message requests (e.g., SMB2 WRITE) sent to a targeted SMBv3 Server, allowing an attacker to read uninitialized kernel memory and make modifications to the compression function.
Here are all the Windows 10 versions that are vulnerable/not vulnerable to the SMBBleed bug
Here’s a summary of the affected Windows versions with the relevant updates installed:
Windows 10 Version 2004
Update | SMBGhost | SMBleed |
KB4557957 | Not Vulnerable | Not Vulnerable |
Before KB4557957 | Not Vulnerable | Vulnerable |
Windows 10 Version 1909
Update | SMBGhost | SMBleed |
KB4560960 | Not Vulnerable | Not Vulnerable |
KB4551762 | Not Vulnerable | Vulnerable |
Before KB4551762 | Vulnerable | Vulnerable |
Windows 10 Version 1903
Update | Null Dereference Bug | SMBGhost | SMBleed |
KB4560960 | Fixed | Not Vulnerable | Not Vulnerable |
KB4551762 | Fixed | Not Vulnerable | Vulnerable |
KB4512941 | Fixed | Vulnerable | Vulnerable |
None of the above | Not Fixed | Vulnerable | Potentially vulnerable* |