Mitigate Now
On June 9, security researchers at ZecOps announced a powerful new vulnerability within Windows’ implementation of the Server Message Block (SMB) protocol that could lead to Remote Code Execution (RCE). The new vulnerability is formally referred to as CVE-2020-1206 or “SMBleed.” Newer releases of Microsoft Windows 10, specifically 1903/1909/2004, have been shown to be impacted by the vulnerability.
ZecOps released two Proof of Concepts (POC) with the SMBleed notification:
The SMBleed vulnerability is very similar to the recent critical Windows vulnerability, SMBGhost, as both center on weaknesses in Windows’ SMB protocol decompression function. SMB should not be accessible on public-facing devices as a best practice, but misconfigurations can and do happen.
If a weaponized exploit of SMBleed becomes available, organizations with misconfigured public-facing Windows servers could be targeted. Organizations should consider non-public facing Windows assets to be impacted, since malware developers may incorporate the weaponized exploit into worms designed for lateral movement between internal assets where the SMB service is most readily used.
At this point, the SMBleed exploit has not been seen in the wild; however, now that POCs are available in the wild, it is only a matter of time until exploit kits include the attacks. That being said, the SMBleed POC attack that can be exploited pre-authentication has not yet been seen in the wild. Additionally, SMBGhost RCE attacks tend to have significant negative impact on the target, causing BSOD (blue screen of death) and similar Windows kernel failures. Currently, there is not a mature and robust method to exploit these vulnerabilities, however it is likely only a matter of time.
Blumira recommends applying the two relevant Windows patches that were released in March and June 2020 as soon as responsibly possible across all impacted Windows systems. The March patch should be considered relatively safe to adopt given both the high level of adoption and time lapsed since release. Bugs introduced by patches themselves often surface shortly after initial release.
In time, endpoint security products should be able to detect the malicious SMB behavior with varying levels of efficacy. Microsoft Defender’s recent update includes a detection signature and a baseline of detection for Windows Servers. Make sure your Defender signatures are up-to-date. Additionally, organizations should audit their own public-facing devices for SMB service availability, as a precautionary measure.
Additionally, Blumira’s platform can detect SMB connections from public IP addresses, as well as vulnerabilities that exploit SMB, such as Eternal Blue. We also detect large spikes of outbound SMB traffic which can indicate a compromise. Our security platform helps organizations detect and respond to malicious SMB activity that may be indicative of system misconfigurations and/or targeted attacker behavior.
Below is a list of tables provided by ZecOps of impacted Windows Operating Systems. If your systems are vulnerable, you should apply the Patch Tuesday patch from 2020-06-09 or implement mitigations as soon as possible.
Windows 10 Version 2004
Update | SMBGhost | SMBleed |
---|---|---|
KB4557957 | Not Vulnerable | Not Vulnerable |
Before KB4557957 | Not Vulnerable | Vulnerable |
Windows 10 Version 1909
Update | SMBGhost | SMBleed |
---|---|---|
KB4560960 | Not Vulnerable | Not Vulnerable |
KB4551762 | Not Vulnerable | Vulnerable |
Before KB4551762 | Vulnerable | Vulnerable |
Windows 10 Version 1903
Update | Null Dereference Bug | SMBGhost | SMBleed |
---|---|---|---|
KB4560960 | Fixed | Not Vulnerable | Not Vulnerable |
KB4551762 | Fixed | Not Vulnerable | Vulnerable |
KB4512941 | Fixed | Vulnerable | Vulnerable |
None of the above | Not Fixed | Vulnerable | Potentially vulnerable* |
Microsoft’s Patch Tuesday released on 2020-06-02 contained patches for SMBleed SMBv3 vulnerabilities among many others. Blumira strongly recommends accelerating patching timelines to secure your environment before the public POCs for SMBleed and the combined SMBGhost/SMBleed Remote Code Execution are built into exploit kits. Critical servers should be patched by the end of the week wherever possible.
If you cannot patch systems that are using or exposing the SMBv3 protocol, Blumira recommends following the Microsoft mitigation workaround. If you already applied this workaround for SMBGhost, then you’re already protected against SMBleed.
You can disable compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Notes:
You can disable the workaround with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force
Resource: Microsoft on Windows SMBv3 Client/Server Information Disclosure Vulnerability (CVE-2020-1206).