Priority: Critical

Executive Summary: Researchers at ZecOps have publicly disclosed a Proof of Concept (PoC) for a vulnerability that they discovered in SMBv3 whilst investigating SMBGhost [1]. They have named this vulnerability SMBleed (CVE-2020-1206). Although, by itself, exploiting the vulnerability only achieves information disclosure, the researchers have combined the attacks of SMBleed (as advised yesterday) and SMBGhost to form an exploit capable of achieving Remote Code Execution (RCE) against a target. This comes just days after an individual PoC was released targeting SMBGhost, also designed to achieve remote code execution (more details on this can be found on our SMBGhost Threat Horizon released on 9th June 2020).

SMBGhost was patched in March, and SMBleed has been fixed in the patches released by Microsoft in the most recent Patch Tuesday, that addresses 129 vulnerabilities [2]. However, this newest publicly available PoC highlights the urgency of updating Windows systems to avoid becoming victim to a disaster similar to the WannaCry ransomware outbreak in 2017, which utilised vulnerabilities in SMB to spread across networks.

The researchers discovered the vulnerability in the Srv2DecompressData function within the SMB server driver, the same location the SMBGhost vulnerability was found. It is possible to perform an integer overflow attack whereby the attacker tells the function that the amount of data it will have after decompressing a compressed section is greater than it actually is. This means that after decompression, uninitialized kernel data is treated as part of the message. The researchers were able to exploit this issue in conjunction with the SMBGhost vulnerability to formulate an exploit which achieves remote code execution on a target system. This can be used directly against a target SMB server and can be used against an SMB client, however, in order to use the attack against an SMB client an attacker would need to force a user to connect to a malicious SMBv3 server they had created.

The most recent Microsoft Patch Tuesday addresses 129 vulnerabilities, 11 of which are rated as critical by Microsoft and 23 of which involve remote code execution. This makes it particularly important to ensure that all Windows systems are updated as soon as possible, before further PoCs are released, or the existing PoCs start being used by threat actors in the wild.

Detect: All systems running outdated versions of Windows systems will be affected, so any methods to detect running Windows versions may assist with detection. To check the OS build of a local Windows 10/Server host, go to Start > Settings > System > About and compare the version with latest versions.

For ITC’s VI customers, the Microsoft vulnerabilities will be detected through running scans, or through ad-hoc scans if required.

Affected Products:
The following products are affected by the SMBleed vulnerability:

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows 10 Version 2004 for 32-bit Systems
  • Windows 10 Version 2004 for ARM64-based Systems
  • Windows 10 Version 2004 for x64-based System
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)
  • Windows Server, version 2004 (Server Core installation)

Please see Microsoft’s Release Notes on the June 2020 Security Updates for more details on all of the systems affected by the 129 vulnerabilities that fixes have been released for [2].

Prevent: Microsoft’s most recent Patch Tuesday (9th June 2020) addresses 129 vulnerabilities, including SMBleed. SMBGhost was patched in March updates.

Microsoft have also released details of a workaround involving disabling SMBv3 Compression, which protects against SMBleed and SMBGhost exploitation. This can be achieved with the following PowerShell command:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force

As SMB Compression is not currently used by Windows 10 or Windows Server, there is no negative impact to using this workaround. However, as numerous other vulnerabilities were fixed in the most recent patching, including vulnerabilities which can be exploited to achieve remote code execution, updating is recommended in preference to applying workarounds.

React: All affected systems should have the relevant patches applied as soon as possible.