A brand new Microsoft Windows 10 v1903, 1909 and even v2004 vulnerability called SMBBleed

0

SMBleed: This new critical vulnerability affects all Windows 10 versions including the Mega May 2020 Windows 10 2004 version

We had already written about the critical vulnerability affecting Windows 10 PCs/laptops called SMBGhost. The SMBGhost bug was accidentally revealed by Microsoft during the Tuesday Patch update in March and eventually, security researchers and hackers managed to create the exploit for SMBGhost(download exploit only if you have the proper knowledge.)  However, the vulnerability was patched by Microsoft in the Windows 10 May 2020 v2004 update and we thought that would be the end of it.

Now security researchers from Zecops have discovered supercritical vulnerability called SMBBleed that affects even the Windows 10 2004 version. Zecops found this vulnerability which like SMBGhost exploits the Server Message Block (SMB) protocol and allows potential hackers to leak kernel memory remotely, and when chained with “wormable” bug aka SMBGhost exploit, the flaw can be exploited to achieve remote code execution attacks.

The Zecops discovered SMBleed has been issued a CVE-2020-1206 identifier and resides in SMB’s decompression function like the SMBGhost or EternalDarkness bug (CVE-2020-0796). Here is a short description of what SMBBleed vulnerability is

  • While looking at the vulnerable function of SMBGhost, Zecops discovered another vulnerability: SMBleed (CVE-2020-1206).
  • SMBleed allows to leak kernel memory remotely.
  • Combined with SMBGhost, which was patched three months ago, SMBleed allows to achieve pre-auth Remote Code Execution (RCE).
  • POC #1: SMBleed remote kernel memory read: POC #1 Link
  • POC #2: Pre-Auth RCE Combining SMBleed with SMBGhost: POC #2 Link
  • Here is a demo fo the PoCSMBleed: This new critical vulnerability affects all Windows 10 versions including the Mega May 2020 Windows 2004 version

Zecops says that chaining the SMBBleed with SMBGhost exploit already available online could allow any potential hacker to gain full control of any Windows 10 PC even the latest Windows 10 v2004 remotely. According to ZecOps researchers, the flaw stems from the way the decompression function in question (“Srv2DecompressData“) handles specially crafted message requests (e.g., SMB2 WRITE) sent to a targeted SMBv3 Server, allowing an attacker to read uninitialized kernel memory and make modifications to the compression function.

Here are all the Windows 10 versions that are vulnerable/not vulnerable to the SMBBleed bug

Here’s a summary of the affected Windows versions with the relevant updates installed:

Windows 10 Version 2004

UpdateSMBGhostSMBleed
KB4557957Not VulnerableNot Vulnerable
Before KB4557957Not VulnerableVulnerable

Windows 10 Version 1909

UpdateSMBGhostSMBleed
KB4560960Not VulnerableNot Vulnerable
KB4551762Not VulnerableVulnerable
Before KB4551762VulnerableVulnerable

Windows 10 Version 1903

UpdateNull Dereference BugSMBGhostSMBleed
KB4560960FixedNot VulnerableNot Vulnerable
KB4551762FixedNot VulnerableVulnerable
KB4512941FixedVulnerableVulnerable
None of the aboveNot FixedVulnerablePotentially vulnerable*

 

SMBBleed mitigation

Zecops recommends all Windows 10 users, home and business, to update their Windows 10 PCs/systems/servers/laptops to the versions that are not vulnerable. If for some reason, you can’t update your Windows 10, it is advised to completely block port 445 to prevent remote exploitation. You can also disable SMB 3.1.1 compression if not required.Microsoft’s security guidance for SMBBleed can be found here and for SMBGhost here.
Share.

About Author

Hacker, coder, Jouno by night When a good man is hurt, all who would be called good must suffer with him

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments