{"id":14724,"date":"2020-06-11T08:10:41","date_gmt":"2020-06-11T06:10:41","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=14724"},"modified":"2020-06-11T08:11:05","modified_gmt":"2020-06-11T06:11:05","slug":"windows-10-smbleed-vulnearbility-in-smbv3-protocol","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/06\/11\/windows-10-smbleed-vulnearbility-in-smbv3-protocol\/","title":{"rendered":"Windows 10: SMBleed vulnerability in SMBv3 protocol"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/06\/11\/windows-10-smbleed-schwachstelle-im-smbv3-protokoll\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Another critical vulnerability has been discovered in the Server Message Block 3.1.1 (SMBv3) protocol of Windows 10\/Server Core, which allows access to the kernel memory. But there are patches and mitigations available.<\/p>\n<p><!--more--><\/p>\n<h2>Old SMBGhost (SMBv3) vulnerability<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg04.met.vgwort.de\/na\/fa621458078445c8acfbb6bf102c5dfd\" width=\"1\" height=\"1\">I had reported several times about a vulnerability SMBGhost here in the blog (see links at the end of the article). There is a vulnerability (<a href=\"https:\/\/kb.cert.org\/vuls\/id\/872016\/\">CVE-2020-0796<\/a>) in the Microsoft implementation of the SMBv3 protocol in the handling of SMB decompression. This vulnerability allows a remote attacker to execute arbitrary code on a vulnerable system without logging in. The SMBGhost vulnerability (CVE-2020-0796) in the compression mechanism of SMBv3.1.1 was fixed about three months ago.&nbsp; <\/p>\n<h2>New SMBv3 vulnerability<\/h2>\n<p>When security researchers from Zeop's features investigated this SMBGhost vulnerability, they discovered a new vulnerability in Microsoft's implementation of the SMBv3 protocol (v3.1.1 compression). The researchers refer to the critical vulnerability <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-1206\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-1206<\/a> as <a href=\"https:\/\/blog.zecops.com\/vulnerabilities\/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost\/\" target=\"_blank\" rel=\"noopener noreferrer\">SMBleed<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol <a href=\"https:\/\/t.co\/qyMB7jTsQe\">https:\/\/t.co\/qyMB7jTsQe<\/a><\/p>\n<p>\u2014 Nicolas Krassas (@Dinosn) <a href=\"https:\/\/twitter.com\/Dinosn\/status\/1270576644290478086?ref_src=twsrc%5Etfw\">June 10, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserve5d6698dec6234865aad1cac01db83d30\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>SMBleed is in the same function (Srv2DecompressData function in srv2.sys) as SMBGhost. The bug allows an attacker to read uninitialized kernel memory. The details can be read in the security researchers' <a href=\"https:\/\/blog.zecops.com\/vulnerabilities\/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost\/\" target=\"_blank\" rel=\"noopener noreferrer\">analysis<\/a>. RCE attacks may also be possible.&nbsp; <\/p>\n<h2>Windows 10 Clients and Server Core affected<\/h2>\n<p>On June 9, 2020, Microsoft issued Security Advisory <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-1206\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-1206<\/a> (Windows SMBv3 Client\/Server Information Disclosure Vulnerability).<\/p>\n<blockquote>\n<p>An Information Disclosure Vulnerability exists in the implementation of the Microsoft Server Message Block 3.1.1 (SMBv3) protocol in certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system.<\/p>\n<p>To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would have to configure a malicious SMBv3 server and convince a user to connect to it.<\/p>\n<\/blockquote>\n<p>SMBleed affects Windows 10 versions 1903, 1909, and 2004 and the Server Core installations of Windows Server versions 1903, 1909, and 2004; older versions of Windows do not support SMBv3.1.1 compression and are therefore not affected by SMBleed.<\/p>\n<h2>Security Updates KB4557957 and KB4560960<\/h2>\n<p>To fix the vulnerability, Microsoft released security updates <a href=\"https:\/\/support.microsoft.com\/help\/4557957\" target=\"_blank\" rel=\"noopener noreferrer\">KB4557957<\/a> (Windows 10 Version 2004) and <a href=\"https:\/\/support.microsoft.com\/help\/4560960\/\" target=\"_blank\" rel=\"noopener noreferrer\">KB4560960<\/a> (Windows 10 Version 190x). The updates are also available for the server core counterparts (see <a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2020-1206\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2020-1206<\/a>).<\/p>\n<p>Since ZecOps has released a proof of concepts, patching should be done urgently &#8211; the bug is classified as critical. As a workaround for customers who cannot immediately apply the security updates (KB4560960 and KB4557957), Microsoft recommends disabling SMBv3 compression with this PowerShell (Admin) command:<\/p>\n<pre>Set-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\" DisableCompression -Type DWORD -Value 1 -Force<\/pre>\n<p>No restart is required. The command disables compression. Enterprise customers are also advised to block TCP port 445 on the enterprise perimeter firewall to prevent vulnerability attacks.<\/p>\n<p><strong>Similar articles:<\/strong><br \/><a href=\"https:\/\/www.borncity.com\/blog\/2020\/03\/11\/windows-smbv3-0-day-schwachstelle-cve-2020-0796\/\">Windows SMBv3 0-day-Schwachstelle CVE-2020-0796<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/03\/12\/windows-10-patch-for-smbv3-vulnerability-cve-2020-0796\/\">Windows 10: Patch for SMBv3 Vulnerability CVE-2020-0796<\/a><br \/><a href=\"https:\/\/www.borncity.com\/blog\/2020\/03\/13\/windows-10-fehler-0x800f0988-0x800f0900-bei-kb4551762\/\">Windows 10: KB4551762 causes error 0x800f0988\/0x800f0900<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/03\/19\/news-about-the-windows-smbv3-vulnerability-smbghost\/\">News about the Windows SMBv3 vulnerability SMBGhost<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/06\/06\/windows-10-poc-for-smbghost-vulnerability\/\">Windows 10: PoC for SMBGhost vulnerability<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Another critical vulnerability has been discovered in the Server Message Block 3.1.1 (SMBv3) protocol of Windows 10\/Server Core, which allows access to the kernel memory. But there are patches and mitigations available.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[2458,2459,1309,69,655,195,194],"class_list":["post-14724","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-kb4557957","tag-kb4560960","tag-network","tag-security","tag-smb","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/14724","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=14724"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/14724\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=14724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=14724"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=14724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}