Cybersecurity researchers today discovered a new critical vulnerability that affects the Server Message Block (SMB) protocol and could allow attackers to remotely leak kernel memory. In combination with a previously disclosed "wormable" bug, the bug can be exploited to attack remote code execution.
The bug, which cyber security company ZecOps calls "SMBleed" (CVE-2020-1206), lies in SMB's decompression function – the same function as SMBGhost or EternalDarkness (CVE-2020-0796) that may have occurred three months ago are opening vulnerable Windows systems to malware attacks that can spread across networks.
The newly discovered vulnerability affects Windows 10 versions 1903 and 1909, for which Microsoft today released security patches as part of its monthly Patch Tuesday updates for June.
The development comes when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a notice last week warning Windows 10 users to update their computers after the exploit code for the SMBGhost error went online last week has been published.
SMBGhost was rated as so severe that it received a maximum severity of 10.
"Although Microsoft released and released updates for this vulnerability in March 2020, malicious cyber actors are targeting unpatched systems with the new PoC, according to recent open source reports," said CISA.
SMB, which runs over TCP port 445, is a network protocol that provides the basis for file sharing, network browsing, printing services, and interprocess communication over a network.
According to ZecOps researchers, the error is due to the way in which the relevant decompression function ("Srv2DecompressData") processes specially designed message requests (e.g. SMB2 WRITE) that are sent to a target SMBv3 server so that an attacker does not Read initialized kernel memory and make changes to the compression function.
"The message structure contains fields such as the number of bytes and flags to be written, followed by a variable-length buffer," the researchers said. "This is perfect to take advantage of the error because we can create a message to specify the header but the variable length buffer contains uninitialized data."
"An attacker who successfully exploited the vulnerability could receive information to further endanger the user's system. To exploit the vulnerability to a server, an unauthenticated attacker could send a specially crafted packet to a target SMBv3 server," Microsoft said in its reference.
"To exploit a client vulnerability, an unauthenticated attacker would have to configure a malicious SMBv3 server and convince a user to connect to it," added Microsoft.
Worse, SMBleed can be chained to SMBGhost on unpatched Windows 10 systems to achieve remote code execution. The company has also released a proof-of-concept exploit code that highlights the shortcomings.
To mitigate the vulnerability, it is recommended that residential and business users install the latest Windows updates as soon as possible.
For systems where the patch is not applicable, it is recommended to block port 445 to prevent sideways movement and remote exploitation.
Microsoft's security guidelines for SMBleed and SMBGhost in Windows 10, versions 1909 and 1903 and Server Core for the same versions can be found here and here.