Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

SMBleed (CVE-2020-1206) and SMBLost (CVE-2020-1301) Vulnerabilities Affect Microsoft SMBv3 and SMBv1

Three months after an out-of-band patch was released for SMBGhost, aka EternalDarkness (CVE-2020-0796), researchers disclosed two new flaws affecting Microsoft’s Server Message Block (SMB) protocol, including working proof-of-concepts.

Background

As part of Microsoft’s June 2020 Patch Tuesday release on June 9, researchers disclosed two new vulnerabilities in Microsoft Server Message Block (SMB), a protocol used to facilitate the sharing of files, printers and serial ports between computers.

Server Message Block

The first version of the SMB protocol (SMBv1) was developed at IBM by Barry Feigenbaum in 1983 and it was eventually implemented in Microsoft Windows in 1992. In 2006, Server Message Block version 2 was introduced as part of the release of Windows Vista and Windows Server 2008, designed to provide new enhancements to the protocol as well as address some of the existing issues in SMBv1.

In September 2011, Microsoft initially announced plans to release Server Message Block version 2.2. However, after reviewing all the changes, they decided that marking this release as a minor revision “doesn’t do justice [sic] the work that has gone in.” As a result, Microsoft announced in April 2012 that SMB version 2.2 would now be referred to as Server Message Block version 3.0 (SMBv3) as part of Windows 8 and Windows Server 2012.

SMB version 3.1.1 is the latest iteration of SMBv3, which was released in May 2015 as part of Windows 10 and Windows Server 2016.

Analysis

SMBGhost Inadvertently Revealed

On March 12, Microsoft published an out-of-band advisory for CVE-2020-0796, a remote code execution (RCE) flaw in SMBv3 that was inadvertently revealed in Microsoft’s March 2020 Patch Tuesday release. Within one day, security researchers from KryptosLogic and SophosLabs published proof-of-concept (PoC) scripts that could trigger a blue screen of death (BSoD) on vulnerable systems. At the time there was an expectation that a PoC achieving RCE would be released.

Gaining RCE using CVE-2020-0796

In April, a report from researchers at Ricerca Security states they were able to construct a PoC for CVE-2020-0796 to gain RCE. However, the researchers opted not to publicly share their script to “avoid abuse,” instead offering it to their paying customers.

At the end of May, a researcher known by the pseudonym “chompie” published a tweet that showed a working PoC for CVE-2020-0796 capable of gaining RCE.

ChompieTweet - working proof of concept for SMBGhost

One day later, chompie decided to publicly release their PoC for “educational purposes” with the expectation that ZecOps would be publishing a PoC of their own “in the coming days.” The researcher stressed that the PoC “needs some work to be more reliable.”

ChompieTweet - public release of SMBGhost proof of concept

Wait and SMBleed

On June 9, Microsoft released an advisory for CVE-2020-1206, an information disclosure vulnerability in SMBv3 due to an issue in handling compressed data packets. It was discovered and disclosed by researchers at ZecOps, who have dubbed the flaw “SMBleed.”

SMBleed visual created by ZecOps

Image Source: ZecOps

SMBleed builds on previous research surrounding SMBGhost. ZecOps published a blog post at the end of March that included a PoC for gaining local privilege escalation using SMBGhost. In their latest blog post, ZecOps says the SMBleed vulnerability exists in Srv2DecompressData, which is “the same function as with SMBGhost.” It is likely that they identified SMBleed during their analysis of SMBGhost.

SMBleedingGhost: Achieving RCE with SMBleed and SMBGhost

ZecOps cautions that unauthenticated exploitation of SMBleed, while possible, is “less straightforward.” As a result, they combined both SMBleed and SMBGhost to gain unauthenticated RCE. They’ve not yet provided technical details about chaining the two flaws together. However, they did share a PoC as well as a GIF that shows them gaining RCE.

ZecOps proof of concept for SMBleedingGhost

Image Source: ZecOps

Haunted by EternalBlue

In our blog for CVE-2020-0796, we alluded to the potential similarity between SMBGhost and EternalBlue (CVE-2017-0144), an RCE vulnerability in SMBv1 that was used as part of the WannaCry attacks in 2017. The comparison was clear to many, so much so that CVE-2020-0796 was initially dubbed EternalDarkness by security researcher Kevin Beaumont, in addition to its SMBGhost moniker. However, since the vulnerability only affects SMBv3, its potential for a WannaCry-level impact was mitigated by the fact that the flaw only resides in specific versions of Windows, such as Windows 10 and Windows Server 2016.

SMBLost In Space

In addition to SMBleed, Microsoft also released an advisory for CVE-2020-1301, an RCE vulnerability in SMBv1 due to an improper handling of a specially crafted SMBv1 request. The vulnerability was disclosed to Microsoft by researchers at Airbus’ cybersecurity division.

On June 9, Airbus published a blog post by vulnerability researcher Nicolas Delhaye, detailing their discovery of CVE-2020-1301, which they’ve dubbed SMBLost.

Unlike SMBGhost and SMBleed, SMBLost is more akin to EternalBlue because it impacts SMBv1. However, as Delhaye notes in his blog, SMBLost is “much less harmful” than SMBGhost and EternalBlue due to two mitigating circumstances:

  1. SMBLost is post-authentication (valid credentials), whereas SMBGhost and EternalBlue are pre-authentication (no credentials).
  2. The presence of a shared partition on the vulnerable SMBv1 server (e.g. “c:\” or “d:\”) is required for exploitation, which Delhaye notes is “less common.”

Airbus provided a proof of concept for SMBLost in their blog, which results in denial of service (DoS) by way of a BSoD.

Blue screen of death for SMBLost

Image Source: Airbus Cybersecurity

As a caveat, the blog post mentions that using SMBLost to gain RCE “seems conceivable,” but they believe it will be “difficult to make it reliable.” In the case of SMBGhost, a similar situation occurred where the only PoCs to emerge initially were for a DoS and Local Privilege Escalation (LPE). While there is no RCE currently available for SMBLost, it is possible that determined researchers or attackers could find a way to develop a reliable PoC to gain RCE in the near future.

Proof of concept

Both ZecOps and Airbus have published proof-of-concept code for SMBleed and SMBLost. ZecOps published their PoC in their GitHub repository while Airbus shared their PoC as part of their blog post.

Solution

The following versions of Microsoft Windows and Windows Server are affected.

CVE-2020-1206
Product Version
Windows Server Version 1903 (Server Core Installation)
Version 1909 (Server Core Installation)
Version 2004 (Server Core Installation)
Windows 10 1903 32-bit Systems
ARM64-based Systems
x64-based Systems
Windows 10 1909 32-bit Systems
ARM64-based Systems
x64-based Systems
Windows 10 2004 32-bit Systems
ARM64-based Systems
x64-based Systems
CVE-2020-1301
Product Version
Windows Server 2008 for 32-bit Systems Service Pack 2
2008 for 32-bit Systems Service Pack 2 (Server Core installation)
2008 for Itanium-Based Systems Service Pack 2
2008 for x64-based Systems Service Pack 2
2008 for x64-based Systems Service Pack 2 (Server Core installation)
2008 R2 for Itanium-Based Systems Service Pack 1
2008 R2 for x64-based Systems Service Pack 1
2008 R2 for x64-based Systems Service Pack 1 (Server Core Installation)
2012
2012 (Server Core Installation)
2012 R2
2012 R2 (Server Core Installation)
2016
2016 (Server Core Installation) 2019
2019 (Server Core Installation)
Version 1803 (Server Core Installation)
Version 1903 (Server Core Installation)
Version 1909 (Server Core Installation)
Version 2004 (Server Core Installation)
Windows RT 8.1
Windows 7 32-bit Systems Service Pack 1
x64-based Systems Service Pack 1
Windows 8.1 32-bit Systems
x64-based Systems
Windows 10 32-bit Systems
x64-based Systems
Windows 10 1607 32-bit Systems
x64-based Systems
Windows 10 1709 32-bit Systems
ARM64-based Systems
x64-based Systems
Windows 10 1803 32-bit Systems
ARM64-based Systems
x64-based Systems
Windows 10 1809 32-bit Systems
ARM64-based Systems
x64-based Systems
Windows 10 1903 32-bit Systems
ARM64-based Systems
x64-based Systems
Windows 10 1909 32-bit Systems
ARM64-based Systems
x64-based Systems
Windows 10 2004 32-bit Systems
ARM64-based Systems
x64-based Systems

Microsoft released patches for SMBleed and SMBLost as part of their June 2020 Patch Tuesday release. It is also noteworthy that Microsoft provided patches to address SMBLost for Windows 7 and Windows Server 2008, both of which reached the end of their support cycle in January 2020. Tenable strongly recommends applying these patches as soon as possible.

If upgrading is not feasible to address both SMBleed and SMBGhost, Microsoft has recommended disabling SMBv3 compression.

Microsoft workaround for SMBv3

Once upgrading is feasible and patches have been applied, Microsoft recommends removing the SMBv3 workaround.

While the mitigating circumstances make SMBLost less impactful than SMBGhost and EternalBlue, researchers are clearly poking around the SMB protocol, hunting for vulnerable code. Be diligent about applying patches, and if you haven’t already, disable SMBv1 as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.