SMBleed Vulnerability

SMB (Server Message Block) is a network protocol predominantly used by Microsoft Windows operating systems to provide shared access to files, printers and related services to  machines operating within the same network.

Over the course of years, there have been several vulnerabilities found in various versions of SMB that have made it one of the most common exploits for cyber attackers. Even though the primary purpose of SMB is to provide ease of access to resources on the network, the same benefits also open up a path for the attackers to spread malware laterally on the network.

The intent of the attackers is to get at least one system on the network infected by the malware. Once this is accomplished, the malware spreads itself automatically across the network to other systems using vulnerabilities in SMB. Such exploits also tend to establish “command & control” bots whereby an infected system is able to provide remote control to the attacker who is usually located somewhere on the internet.

The vendors who use SMB in their products tend to address the reported vulnerabilities by releasing a patch, but due to the ever evolving cyber-attack landscape, new vulnerabilities are continually found and exploited..

What is SMBleed?

SMBleed (CVE-2020-1206) is the latest exploit of SMB that could allow attackers to leak Windows kernel memory remotely. When combined with another recently reported vulnerability, SMGhost (also known as EternalDarkness), it could allow attackers to execute remote code attacks.

How it works

The flaw resides in the way SMB’s decompression function handles specially crafted message requests, potentially opening vulnerable Windows systems to malware attacks that can propagate across networks..If the target to exploit is a server, then the attacker can send a specially crafted message to the targeted SMB version 3 server. If the target to exploit is a client, then the attacker would have to configure a malicious SMB (version 3) server and entice a user to connect to it.

What are the risks?

An incident involving exploitation of the SMBleed vulnerability can lead to different types of business impacts due to an attacker’s manipulation of this vulnerability, including:

• Significant business downtime due to compromised systems
• Sensitive data breach due to remote code execution
• Establishment of “command & control” bot systems on the network which cause persistent threats
• Significant time & resource expenditure on incident response remediation

Which platforms have this vulnerability?

• Windows 10 versions 1903, 1909 & 2004 – including 32 bit, x64-based and ARM64-based systems
• Windows Server versions 1903, 1909 & 2004 – including Server Core Installation

How can it be prevented?

To mitigate the vulnerability, it’s recommended that home and business users install the latest Windows updates as soon as possible.

For systems where application of the patch is not possible (e.g. for compatibility reasons), it’s advised to block port 445 to prevent lateral movement and remote exploitation.

Timely action and established processes have always been the best bets against preventing such vulnerabilities to be exploited.

Clients are advised to follow the checklist below to ensure they are adequately protected:

• Apply the patches released by Microsoft for the affected systems.
• If patching is not possible (e.g. compatibility issue with applications on the system), disable SMB version 3 compression to block unauthenticated attackers from exploiting the vulnerability by using the Power Shell command recommended by Microsoft.
• Block TCP port 445 on the perimeter firewall. SMB uses this port number to communicate. Given the risk with SMB, this port should only be opened when there is a strong business justification.
• Restrict lateral movement in the internal network using SMB for only business essential services like connection to domain controllers and file servers. The easiest way to accomplish this is by configuring appropriate rules in endpoint protection tools.
• Setup a threat detection & response program that provides for continuous monitoring, advanced threat hunting, actionable intelligence and automated or human induced responses.