Threat Alert

by IthacaLabs™

THREAT LEVEL/High 10/06/2020

New Critical Vulnerability Affecting Windows SMB Protocol

Threat Level Description

Threat Level: High - An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a new critical vulnerability affecting Microsoft Server Message Block (SMB) protocol, has been identified.

The flaw (CVE-2020-1206) known also as “SMBleed” could allow attackers to leak kernel memory remotely or to achieve pre-auth remote code execution when chained with “SMBGhost” vulnerability (CVE-2020-0796), which was patched three months ago.

The Server Message Block Protocol (SMB protocol), which runs over TCP port 445, is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.

Similar to “SMBGhost”, the “SMBleed” vulnerability resides in the Srv2DecompressData function in the srv2.sys of the SMB server driver.

To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.
To exploit the vulnerability against a client, an attacker would need to trick a user into connecting to the attackers’ malicious SMBv3 server.

CVE(s)

CVE-2020-1206

BASE SCORE: 5 Medium
VECTOR: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Information Disclosure Vulnerability'.

CVE-2020-0796

BASE SCORE: 7.5 High
VECTOR: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.

Affected Systems

  • Microsoft Server Message Block (SMB) protocol
  • Microsoft Windows 10 1903 & 1909
  • Microsoft Windows Server 2016 1903 & 1909
  • Recommendation(s)

    You should immediately update to the latest version and apply the relevant security patches.

    You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

    References

    Get the latest Threat Alerts in your inbox.