Windows 10: SMBleed vulnerability in SMBv3 protocol

[German]Another critical vulnerability has been discovered in the Server Message Block 3.1.1 (SMBv3) protocol of Windows 10/Server Core, which allows access to the kernel memory. But there are patches and mitigations available.


Old SMBGhost (SMBv3) vulnerability

I had reported several times about a vulnerability SMBGhost here in the blog (see links at the end of the article). There is a vulnerability (CVE-2020-0796) in the Microsoft implementation of the SMBv3 protocol in the handling of SMB decompression. This vulnerability allows a remote attacker to execute arbitrary code on a vulnerable system without logging in. The SMBGhost vulnerability (CVE-2020-0796) in the compression mechanism of SMBv3.1.1 was fixed about three months ago. 

New SMBv3 vulnerability

When security researchers from Zeop's features investigated this SMBGhost vulnerability, they discovered a new vulnerability in Microsoft's implementation of the SMBv3 protocol (v3.1.1 compression). The researchers refer to the critical vulnerability CVE-2020-1206 as SMBleed.

SMBleed is in the same function (Srv2DecompressData function in srv2.sys) as SMBGhost. The bug allows an attacker to read uninitialized kernel memory. The details can be read in the security researchers' analysis. RCE attacks may also be possible. 

Windows 10 Clients and Server Core affected

On June 9, 2020, Microsoft issued Security Advisory CVE-2020-1206 (Windows SMBv3 Client/Server Information Disclosure Vulnerability).


An Information Disclosure Vulnerability exists in the implementation of the Microsoft Server Message Block 3.1.1 (SMBv3) protocol in certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system.

To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would have to configure a malicious SMBv3 server and convince a user to connect to it.

SMBleed affects Windows 10 versions 1903, 1909, and 2004 and the Server Core installations of Windows Server versions 1903, 1909, and 2004; older versions of Windows do not support SMBv3.1.1 compression and are therefore not affected by SMBleed.

Security Updates KB4557957 and KB4560960

To fix the vulnerability, Microsoft released security updates KB4557957 (Windows 10 Version 2004) and KB4560960 (Windows 10 Version 190x). The updates are also available for the server core counterparts (see CVE-2020-1206).

Since ZecOps has released a proof of concepts, patching should be done urgently – the bug is classified as critical. As a workaround for customers who cannot immediately apply the security updates (KB4560960 and KB4557957), Microsoft recommends disabling SMBv3 compression with this PowerShell (Admin) command:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

No restart is required. The command disables compression. Enterprise customers are also advised to block TCP port 445 on the enterprise perimeter firewall to prevent vulnerability attacks.

Similar articles:
Windows SMBv3 0-day-Schwachstelle CVE-2020-0796
Windows 10: Patch for SMBv3 Vulnerability CVE-2020-0796
Windows 10: KB4551762 causes error 0x800f0988/0x800f0900
News about the Windows SMBv3 vulnerability SMBGhost
Windows 10: PoC for SMBGhost vulnerability

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *