SMBleed Vulnerability Affects Windows SMB Protocol


smbleed the newly introduced vulnerability affecting the Server Message Block(SMB) protocol.

How It Works !

It allows attackers to leak kernel memory remotely, and when combined with a previously
disclosed "wormable" bug, the flaw can be exploited to achieve remote code execution attacks.

During research to exploit SMBGhost , It discovered another vulnerability SMBleed. SMBleed
allows reading uninitialized kernel memory and worse, combined with the already patched SMBGhost would again allow remote command execution.

SMB or Server Message Block is a protocol that Windows uses to share files, devices,
or other communications on the network.

In the past, reports of vulnerabilities and attacks through SMB protocols have been reported. 
Periodically, in early June 2020, there were 3 data releases and patches for SMB-related
vulnerabilities: SMBGhost (CVE-2020-0796), SMBleed (CVE-2020-1206), and
SMBLost ( CVE-2020-1301) Each vulnerability can be summarized as follows
and guidelines for prevention as follows

SMBGhost is a remote code execution vulnerability. It can execute arbitrary code on the victim's
machine remotely. 

The vulnerability has affected SMBv3 on Windows 10 and Windows Server (Core installation) versions 1903 and 1909. Microsoft has released a patch for this vulnerability since March 2020.

 A tool that can be used to attack and execute code on the target machine was released
to the public on 2 June 2020.

SMBleed is a vulnerability that can be used to attack remote read data in memory.
 Attack conditions require credentials and open folder sharing for write access. 

The vulnerability affects SMBv3 on Windows 10 versions 1903, 1909, and 2004. 

The vulnerability can be combined with the SMBGhost vulnerability in order to have
a greater chance of success. 

An example of a vulnerability attack tool (both SMBleed and SMBleed + SMBGhost)
was released to the public on June 9, 2020. Microsoft has released a patch for this vulnerability
in the June 2020 patch.

SMBLost is a denial of service vulnerability causing the terminal to be on the blue screen.

 Attack conditions require credentials and partition sharing (such as C: \\, D: \\). 

The vulnerability affects SMBv1 on Windows 7, 8, 8.1, Server 2008, 2012, 2016, And 2019, for example, a vulnerability attack tool was released to the public on June 9, 2020. 

Microsoft has released a patch for this vulnerability in the June 2020 patch. 

Administrators may consider disabling SMBv1 if it is not necessary. Active to reduce risks

Know More About SMB (Server Message Block)

The SMB protocol (SMBv1) was developed at IBM by Barry Feigenbaum in 1983.
Implemented by Microsoft Windows in 1992

Server Message Block version 2 (SMBv2)|was introduced as part of the release of
Windows Vista and Windows Server 2008.

It is designed to provide new enhancements to the protocol as well as address some
of the existing issues in SMBv1.

Server Message Block(SMBv3) introduced in the year 2012

The latest version of SMB is 3.1.1

What to Do If till the patches are released!

Microsoft strongly recommends that you install the updates for this vulnerability
as soon as they become available.

How To Disable SMBv3 compression (Workaround) with PowerShell command

Set-ItemProperty -Path
"HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression
-Type DWORD -Value 1 -Force

Disable SMBv3

Post a Comment