SMBleed CVE 2020 1206

Earlier this week, as part of June’s “Tuesday of Updates,” Microsoft fixed a new vulnerability in the SMB protocol (CVE-2020-1206). This bug is called SMBleed. It allows an attacker to remotely “merge” data from kernel memory and without authentication.

The vulnerability was discovered by ZecOps specialists, and they say that a fresh problem can be combined with another similar vulnerability – SMBGhost (CVE-2020-0796, also known as CoronaBlue, NexternalBlue, and BluesDay), for which patches were already released in March 2020.

As with SMBGhost, the root of the SMBleed problem lies in the SMB 3.1.1 compression engine, and the bug affects how the protocol handles certain requests. Windows 10 and Windows Server versions 1903, 1909, and 2004 (but not earlier versions) are vulnerable to the problem.

vulnerable versions

“To exploit this vulnerability on a server, an unauthenticated attacker could send a specially crafted package to the target SMBv3 server. To exploit this vulnerability for a client, an unauthorized attacker must configure the malicious SMBv3 server and convince the user to connect to it, ”the official security guidance of Microsoft.

Although patches for SMBleed are already available, Microsoft offers other methods to solve this problem, such as disabling SMBv3 compression. Researchers also note that it is possible to protect against SMBleed and SMBGhost by blocking TCP port 445. Also, you need to increase host isolation and disable SMB 3.1.1 compression. Although researchers still do not recommend resorting to these methods.

Expert already published PoC-exploit for SMBleed. They explain that for the exploit to work correctly, you need credentials, as well as write access to the shared resource. However, it is also noted that the bug can be used without authentication. So, the experts themselves combined SMBleed with SMBGhost to achieve RCE (remote code execution)

You can find more vulnerabilities by link

Viva La Linux!

Leave A Comment