SMBleed SMBv3 Client/Server Information Disclosure Vulnerability

A remote kernel memory disclosure vulnerability affecting SMBv3 called SMBleed has been announced by researchers. It could be exploited on vulnerable Windows 10 and Windows Server 2019 systems to access sensitive information that may then be used in following attacks.

Threat ID:: CC-3496
Category:: Exploit
Threat Severity:: High
Threat Vector:: Insecure network
Published:: 11 June 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Versions: 1903, 1909, and 2004

Windows 10

Versions: 1903, 1909, and 2004

Microsoft Windows Server

Threat details

Security researchers have released details of an improper information disclosure vulnerability, known as SMBleed, affecting the Microsoft Server Message Block v3.1.1 (SMBv3.1.1) protocol. They claim that a remote unauthenticated attacker could exploit this vulnerability to access kernel memory locations on an affected system.

Similarly to the older SMBGhost vulnerability, SMBleed is the result of a fault in the data compression function used by SMBv3.1.1. By sending specially crafted SMB message requests, a user may be able to cause an affected SMBv3.1.1 system to leak uninitialised kernel memory stored in any responses.

At the time of publication, there are a number of proof-of-concept exploits available for SMBleed; including several incorporating known SMBGhost exploits in what is being referred to as SMBleedingGhost.

For further information

Remediation advice

Microsoft released an update to address SMBleed as part of their standard monthly security releases. Affected organisations are encouraged to apply this update immediately.

Organisations that cannot apply the update should consider Microsoft’s recommendation to disable SMB compression using the following PowerShell command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Please note that this only prevents exploitation of the vulnerability against SMBv3 servers. Systems acting as SMBv3 clients will still be exposed.

Affected organisations should also consider blocking all inbound and outbound connections over TCP port 445 at their perimeter firewall. To help prevent the propagation of related attacks, inbound TCP port 445 connections can also be blocked using host-based firewalls.

Remediation steps

Type	Step
Patch	Apply Microsoft-supplied patch immediately. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1206

Definitive source of threat updates

https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/

CVE Vulnerabilities

Status Master

CVE-2020-1206

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Information Disclosure Vulnerability'.

Last edited: 16 June 2020 11:34 am