Security researchers from ZecOps have disclosed technical details of a new vulnerability that affects the Server Message Block (SMB) protocol. The flaw (CVE-2020-1206) dubbed SMBleed could allow attackers to leak kernel memory remotely or to achieve pre-auth remote code execution when chained with SMBGhost vulnerability, which was patched three months ago.
Like SMBGhost, the SMBleed vulnerability resides in the Srv2DecompressData function in the srv2.sys SMB server driver. The flaw exists due to the way Srv2DecompressData handles specially crafted message requests sent to a targeted SMBv3 Server, which allows a remote attacker to gain unauthorized access to sensitive information on the system.
"The message structure contains fields such as the amount of bytes to write and flags, followed by a variable-length buffer. That's perfect for exploiting the bug since we can craft a message such that we specify the header, but the variable-length buffer contains uninitialized data,” the researchers explained.
According to Microsoft’s advisory, in order to exploit this vulnerability an attacker would need to trick a user into connecting to the attackers’ malicious SMBv3 server.
The SMBleed vulnerability affects Windows 10 versions 1903 and 1909. The flaw was patched as part of Microsoft’s June 2020 Patch Tuesday release, which addresses a total of 129 vulnerabilities impacting Microsoft Windows, Microsoft Edge, ChakraCore, Internet Explorer, Microsoft Office, Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps and Adobe Flash Player.