Earlier this week, as part of June's “Tuesday of Updates,” Microsoft fixed a new vulnerability in the SMB protocol in its products (CVE-2020-1206) This bug is called SMBleed and allows an attacker to remotely "merge" data from kernel memory remotely and without authentication.
The vulnerability was discovered by ZecOps specialists, and they say that a fresh problem can be combined with another similar vulnerability – SMBGhost (CVE-2020-0796, also known as CoronaBlue, NexternalBlue and BluesDay), for which patches were already released in March 2020.
As with SMBGhost, the root of the SMBleed problem lies in the SMB 3.1.1 compression engine, and the bug affects how the protocol handles certain requests. Windows 10 and Windows Server versions 1903, 1909, and 2004 (but not earlier versions) are vulnerable to the problem.
“To exploit this vulnerability on a server, an unauthenticated attacker could send a specially crafted package to the target SMBv3 server. To exploit this vulnerability in relation to the client, an unauthorized attacker must configure the malicious SMBv3 server and convince the user to connect to it, ”the official says security bulletin Microsoft
Although patches for SMBleed are already available, Microsoft offers other methods to solve this problem, for example, disabling SMBv3 compression. Researchers also note that it is possible to protect against SMBleed and SMBGhost by blocking TCP port 445, increasing host isolation and disabling SMB 3.1.1 compression. Although researchers still do not recommend resorting to these methods.
Experts have already published PoC exploit for SMBleed, but they explain that for the exploit to work correctly, you need credentials, as well as write access to the shared resource. However, it is also noted that the bug can be used without authentication. So, the experts themselves combined SMBleed with SMBGhost to achieve RCE (Remote Code Execution). The exploit for this scenario was also posted in open access, and soon experts plan to publish technical details of such an attack. In the meantime, a demonstration of the attack can be seen below.