SMB (Server Message Block) is a network protocol predominantly used by Microsoft Windows operating systems to provide shared access to files, printers and related services to machines operating within the same network.
Over the course of years, there have been several vulnerabilities found in various versions of SMB that have made it one of the most common exploits for cyber attackers. Even though the primary purpose of SMB is to provide ease of access to resources on the network, the same benefits also open up a path for the attackers to spread malware laterally on the network.
The intent of the attackers is to get at least one system on the network infected by the malware. Once this is accomplished, the malware spreads itself automatically across the network to other systems using vulnerabilities in SMB. Such exploits also tend to establish “command & control” bots whereby an infected system is able to provide remote control to the attacker who is usually located somewhere on the internet.
The vendors who use SMB in their products tend to address the reported vulnerabilities by releasing a patch, but due to the ever evolving cyber-attack landscape, new vulnerabilities are continually found and exploited..
What is SMBleed?
SMBleed (CVE-2020-1206) is the latest exploit of SMB that could allow attackers to leak Windows kernel memory remotely. When combined with another recently reported vulnerability, SMGhost (also known as EternalDarkness), it could allow attackers to execute remote code attacks.
How it works
The flaw resides in the way SMB’s decompression function handles specially crafted message requests, potentially opening vulnerable Windows systems to malware attacks that can propagate across networks..If the target to exploit is a server, then the attacker can send a specially crafted message to the targeted SMB version 3 server. If the target to exploit is a client, then the attacker would have to configure a malicious SMB (version 3) server and entice a user to connect to it.
What are the risks?
An incident involving exploitation of the SMBleed vulnerability can lead to different types of business impacts due to an attacker’s manipulation of this vulnerability, including:
Which platforms have this vulnerability?
How can it be prevented?
To mitigate the vulnerability, it’s recommended that home and business users install the latest Windows updates as soon as possible.
For systems where application of the patch is not possible (e.g. for compatibility reasons), it’s advised to block port 445 to prevent lateral movement and remote exploitation.
Timely action and established processes have always been the best bets against preventing such vulnerabilities to be exploited.
Clients are advised to follow the checklist below to ensure they are adequately protected:
Years of experience, a highly skilled team and a comprehensive suite of services reduce the risks you face, and take the stress of security management out of your hands.