A security researcher has discovered a new critical vulnerability that is affecting Windows SMB(Server Message Block) protocol that could allow an attacker to leak kernel memory remotely and if combined with the “wormable” flaw which was disclosed earlier can be used to achieve remote code execution attacks.
SMB protocol runs over TCP port 445 that provides the basis for file sharing, network browsing, printing services, and interprocess communication over a network.
The vulnerability is dubbed as “SMBleed” and can be tracked as CVE-2020-1206 discovered by the cybersecurity firm ZecOps the vulnerability resides in the SMB’s decompression function.
Windows 10 versions 1903, 1909, and 2004 were found vulnerable to the flaw, for which Microsoft has released the security patch updates for June.
Three months ago a similar type of flaw that was found in the SMB protocol dubbed as SMBGhost tracked as CVE-2020-0796. The SMBGhost vulnerability was so serious flaw that it got a severity score of 10.
Last week US Cybersecurity and Infrastructure Security Agency issued an emergency advisory to update their systems to the latest versions after the exploit for the SMBGhost was published online.
Although Microsoft disclosed and provided updates for this vulnerability in March 2020, malicious cyber actors are targeting unpatched systems with the new PoC, according to recent open-source reportsCISA said.
The SMBGhost bug happened due to lack of integer overflow checks.
An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 serverMicrosoft said in its advisory.
To successfully exploit the flaw an attacker need to configure a malicious SMBv3 server and convince a user to connect to it. SMBGhost can be combined with SMBleed to get remote code execution in the vulnerable systems.
Users are requested to update their systems to the latest. Blocking port 445 will stop lateral movements using these vulnerabilities.
Source code for the vulnerability has also been made available.