SMBleed Vulnerability and POC Exploit Released
On June 9, security researchers at ZecOps announced a powerful new vulnerability within Windows’ implementation of the Server Message Block (SMB) protocol that could lead to Remote Code Execution (RCE). The new vulnerability is formally referred to as CVE-2020-1206 or “SMBleed.” Newer releases of Microsoft Windows 10, specifically 1903/1909/2004, have been shown to be impacted by the vulnerability.
ZecOps released two Proof of Concepts (POC) with the SMBleed notification:
- One for SMBleed that allows for credentialed remote reading of kernel memory with valid credentials
- Another that combines SMBGhost (CVE-2020-0796) with SMBleed for Remote Code Execution (RCE) and shell.
What That Means
The SMBleed vulnerability is very similar to the recent critical Windows vulnerability, SMBGhost, as both center on weaknesses in Windows’ SMB protocol decompression function. SMB should not be accessible on public-facing devices as a best practice, but misconfigurations can and do happen.
If a weaponized exploit of SMBleed becomes available, organizations with misconfigured public-facing Windows servers could be targeted. Organizations should consider non-public facing Windows assets to be impacted, since malware developers may incorporate the weaponized exploit into worms designed for lateral movement between internal assets where the SMB service is most readily used.
At this point, the SMBleed exploit has not been seen in the wild; however, now that POCs are available in the wild, it is only a matter of time until exploit kits include the attacks. That being said, the SMBleed POC attack that can be exploited pre-authentication has not yet been seen in the wild. Additionally, SMBGhost RCE attacks tend to have significant negative impact on the target, causing BSOD (blue screen of death) and similar Windows kernel failures. Currently, there is not a mature and robust method to exploit these vulnerabilities, however it is likely only a matter of time.
How Would I Know and What Should I Do?
Blumira recommends applying the two relevant Windows patches that were released in March and June 2020 as soon as responsibly possible across all impacted Windows systems. The March patch should be considered relatively safe to adopt given both the high level of adoption and time lapsed since release. Bugs introduced by patches themselves often surface shortly after initial release.
In time, endpoint security products should be able to detect the malicious SMB behavior with varying levels of efficacy. Microsoft Defender’s recent update includes a detection signature and a baseline of detection for Windows Servers. Make sure your Defender signatures are up-to-date. Additionally, organizations should audit their own public-facing devices for SMB service availability, as a precautionary measure.
Additionally, Blumira’s platform can detect SMB connections from public IP addresses, as well as vulnerabilities that exploit SMB, such as Eternal Blue. We also detect large spikes of outbound SMB traffic which can indicate a compromise. Our security platform helps organizations detect and respond to malicious SMB activity that may be indicative of system misconfigurations and/or targeted attacker behavior.
Below is a list of tables provided by ZecOps of impacted Windows Operating Systems. If your systems are vulnerable, you should apply the Patch Tuesday patch from 2020-06-09 or implement mitigations as soon as possible.
Windows 10 Version 2004
|KB4557957||Not Vulnerable||Not Vulnerable|
|Before KB4557957||Not Vulnerable||Vulnerable|
Windows 10 Version 1909
|KB4560960||Not Vulnerable||Not Vulnerable|
Windows 10 Version 1903
|Update||Null Dereference Bug||SMBGhost||SMBleed|
|KB4560960||Fixed||Not Vulnerable||Not Vulnerable|
|None of the above||Not Fixed||Vulnerable||Potentially vulnerable*|
When Will Microsoft Fix It?
Microsoft’s Patch Tuesday released on 2020-06-02 contained patches for SMBleed SMBv3 vulnerabilities among many others. Blumira strongly recommends accelerating patching timelines to secure your environment before the public POCs for SMBleed and the combined SMBGhost/SMBleed Remote Code Execution are built into exploit kits. Critical servers should be patched by the end of the week wherever possible.
If you cannot patch systems that are using or exposing the SMBv3 protocol, Blumira recommends following the Microsoft mitigation workaround. If you already applied this workaround for SMBGhost, then you’re already protected against SMBleed.
Disable SMBv3 Compression
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
- No reboot is needed after making the change.
- This workaround does not prevent exploitation of SMB clients; that is to say, this only stops the vulnerability in SMBv3 compression by being leveraged by SMBleed.
- SMB Compression is not yet used by Windows or Windows Server, and disabling SMB Compression has no negative performance impact.
You can disable the workaround with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force
Resource: Microsoft on Windows SMBv3 Client/Server Information Disclosure Vulnerability (CVE-2020-1206).