Scorpiones Group

SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol

Cybersecurity researchers recently uncovered a new critical vulnerability affecting the Server Message Block (SMB) protocol that could allow attackers to leak kernel memory remotely,
and when combined with a previously disclosed "wormable" bug, the flaw can be exploited to achieve remote code execution attacks.

What is Server Message Block (SMB)
The Server Message Block Protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.
It can also carry transaction protocols for interprocess communication.

This isn't the first time the Server Message Block is under attack, the flaw resides in SMB's decompression function — the same function as with SMBGhost or EternalDarkness bug (CVE-2020-0796), which came to light three months ago, potentially opening vulnerable Windows systems to malware attacks that can propagate across networks.

The newly discovered vulnerability impacts Windows 10 versions 1903 and 1909, for which Microsoft today released security patches as part of its monthly patch.
US Cybersecurity and Infrastructure Security Agency issued a warning to Windows 10 users to update their machines after exploit code for SMBGhost bug was published online last week.

SMBleed Attack Flow
SMBGhost was deemed so serious that it received a maximum severity rating score of 10.
SMB, which runs over TCP port 445, is a network protocol that provides the basis for file sharing, network browsing, printing services, and interprocess communication over a network.

“An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server”. by Microsoft Advisory, 9 June 2020.

It gets worse, SMBleed can be chained with SMBGhost on unpatched Windows 10 systems to achieve remote code execution.
This puts millions of computers worldwide at risk of successful cyber attack.

SMBleed New Critical Windows 10 Vulnerability
Best Practices Regarding SMBleed Vulnerability:
To mitigate the vulnerability, it's recommended that home and business users install the latest Windows updates as soon as possible.
For systems where the patch is not applicable, it's advised to block port 445 to prevent lateral movement and remote exploitation.
Microsoft's security guidance addressing SMBleed and SMBGhost in Windows 10 version 1909 and 1903 and Server Core for the same versions can be found here.

If you want our experts to scan your business or organization for vulnerabilities, contact us now and our team will get going.

Tags: Windows Windows Vulnerability SMB Network Penetration Testing

Contact Us