A new critical vulnerability (CVE-2020-1206) affecting Microsoft Windows operation system’s Server Message Block (SMB) protocol was recently publicly disclosed. The vulnerability dubbed SMBleed, resides in SMB version 3.1.1’s decompression function, Srv2DecompressData. An unauthenticated attacker can exploit the vulnerability by sending a specially crafted message request to a targeted SMB server, and successful exploitation could allow an attacker to read uninitialized kernel memory.

CERT-PH is aware of publicly available and functional proof-of-concept (PoC) code that exploits the SMBleed vulnerability alone, and with a combination of a “wormable” vulnerability (CVE-2020-0796) dubbed as SMBGhost. By chaining both vulnerabilities together, attackers could potentially achieve remote code execution. As such, this emphasizes the utmost importance of applying the patch for the aforementioned vulnerabilities, to avoid WannaCry and NotPetya-like attacks that were facilitated by exploiting the notorious EternalBlue “wormable” vulnerability affecting earlier versions of the SMB protocol.

Affected Versions:

Windows 10 versions 1903 and 1909

CERT-PH recommends the following actions be taken:

Install the latest security updates from Microsoft as part of their June 2020 Patch Tuesday release which addressed the said vulnerabilities.