SMBleed SMB Protocol Vulnerability

SMBleed img
SMBleed img

After SMBGhost, the security researchers of ZecOps found another vulnerability named SMBleed.

It allows to leak kernel remotely, and combined with SMBGhost, which was patched three months ago. SMBleed allows to achieve pre-auth Remote Code Execution (RCE) on unpatched Microsoft Windows 10 operating system.

Check SMBleed POC on GitHub

SMB, which runs over TCP port 445, is a network protocol that provides the basis for file sharing, network browsing, printing services, and interprocess communication over a network.

SMBleed Demo
SMBleed Demo by ZecOps

 

How to Preventing SMB traffic from lateral connections and entering or leaving the network?

Server Message Block (SMB) is a network file sharing and data fabric protocol. SMB is used by billions of devices in a diverse set of operating systems, including Windows, MacOS, iOS , Linux, and Android. Clients use SMB to access data on servers. This allows sharing of files, centralized data management, and lowered storage capacity needs for mobile devices. Servers also use SMB as part of the Software-defined Data Center for workloads like clustering and replication.

Because SMB is a remote file system, it requires protection from attacks where a Windows computer might be tricked into contacting a malicious server running inside a trusted network or to a remote server outside the network perimeter. Firewall best practices and configurations can enhance security preventing malicious traffic from leaving the computer or its network.

CVE-2020-1206 | Windows SMBv3 Client/Server Information Disclosure Vulnerability

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.

To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.

The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.

Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place:

Disable SMBv3 compression

You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

You can disable the workaround with the PowerShell command below.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force

Note: No reboot is needed after disabling the workaround.

What steps can I take to protect my network?

Block TCP port 445 at the enterprise perimeter firewall

TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

Are older versions of Windows (other than what is listed in the Security Updates table) affected by this vulnerability?

No, the vulnerability exists in a new feature that was added to Windows 10 version 1903. Older versions of Windows do not support SMBv3.1.1 compression and are not affected.

Microsoft released security Patch for June 2020

Finally, the Microsoft has patched all current vulnerabilities including SMBGhost and SMBleed.

Overall 129 security vulnerabilities have patched, including 11 are critical and 118 as important severity.

You need to Update Windows 10 now.

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

More from Priyanshu Sahay

Winnti Malware- A Backdoor For Linux And Windows Variants

The Linux version of Winnti Malware found and works as backdoor to...
Read More

Leave a Reply