SMBleed (CVE-2020-1206) and SMBLost (CVE-2020-1301) Vulnerabilities Affect Microsoft SMBv3 and SMBv1

Three months after an out-of-band patch was released for SMBGhost, aka EternalDarkness (CVE-2020-0796), researchers disclosed two new flaws affecting Microsoft’s Server Message Block (SMB) protocol, including working proof-of-concepts.

Background

As part of Microsoft’s June 2020 Patch Tuesday release on June 9, researchers disclosed two new vulnerabilities in Microsoft Server Message Block (SMB), a protocol used to facilitate the sharing of files, printers and serial ports between computers.

Server Message Block

The first version of the SMB protocol (SMBv1) was developed at IBM by Barry Feigenbaum in 1983 and it was eventually implemented in Microsoft Windows in 1992. In 2006, Server Message Block version 2 was introduced as part of the release of Windows Vista and Windows Server 2008, designed to provide new enhancements to the protocol as well as address some of the existing issues in SMBv1.

In September 2011, Microsoft initially announced plans to release Server Message Block version 2.2. However, after reviewing all the changes, they decided that marking this release as a minor revision “doesn’t do justice [sic] the work that has gone in.” As a result, Microsoft announced in April 2012 that SMB version 2.2 would now be referred to as Server Message Block version 3.0 (SMBv3) as part of Windows 8 and Windows Server 2012.

SMB version 3.1.1 is the latest iteration of SMBv3, which was released in May 2015 as part of Windows 10 and Windows Server 2016.

Analysis

SMBGhost Inadvertently Revealed

On March 12, Microsoft published an out-of-band advisory for CVE-2020-0796, a remote code execution (RCE) flaw in SMBv3 that was inadvertently revealed in Microsoft’s March 2020 Patch Tuesday release. Within one day, security researchers from KryptosLogic and SophosLabs published proof-of-concept (PoC) scripts that could trigger a blue screen of death (BSoD) on vulnerable systems. At the time there was an expectation that a PoC achieving RCE would be released.

Gaining RCE using CVE-2020-0796

In April, a report from researchers at Ricerca Security states they were able to construct a PoC for CVE-2020-0796 to gain RCE. However, the researchers opted not to publicly share their script to “avoid abuse,” instead offering it to their paying customers.

At the end of May, a researcher known by the pseudonym “chompie” published a tweet that showed a working PoC for CVE-2020-0796 capable of gaining RCE.

One day later, chompie decided to publicly release their PoC for “educational purposes” with the expectation that ZecOps would be publishing a PoC of their own “in the coming days.” The researcher stressed that the PoC “needs some work to be more reliable.”

Wait and SMBleed

On June 9, Microsoft released an advisory for CVE-2020-1206, an information disclosure vulnerability in SMBv3 due to an issue in handling compressed data packets. It was discovered and disclosed by researchers at ZecOps, who have dubbed the flaw “SMBleed.”

Image Source: ZecOps

SMBleed builds on previous research surrounding SMBGhost. ZecOps published a blog post at the end of March that included a PoC for gaining local privilege escalation using SMBGhost. In their latest blog post, ZecOps says the SMBleed vulnerability exists in Srv2DecompressData, which is “the same function as with SMBGhost.” It is likely that they identified SMBleed during their analysis of SMBGhost.

SMBleedingGhost: Achieving RCE with SMBleed and SMBGhost

ZecOps cautions that unauthenticated exploitation of SMBleed, while possible, is “less straightforward.” As a result, they combined both SMBleed and SMBGhost to gain unauthenticated RCE. They’ve not yet provided technical details about chaining the two flaws together. However, they did share a PoC as well as a GIF that shows them gaining RCE.

Image Source: ZecOps

Haunted by EternalBlue

In our blog for CVE-2020-0796, we alluded to the potential similarity between SMBGhost and EternalBlue (CVE-2017-0144), an RCE vulnerability in SMBv1 that was used as part of the WannaCry attacks in 2017. The comparison was clear to many, so much so that CVE-2020-0796 was initially dubbed EternalDarkness by security researcher Kevin Beaumont, in addition to its SMBGhost moniker. However, since the vulnerability only affects SMBv3, its potential for a WannaCry-level impact was mitigated by the fact that the flaw only resides in specific versions of Windows, such as Windows 10 and Windows Server 2016.

SMBLost In Space

In addition to SMBleed, Microsoft also released an advisory for CVE-2020-1301, an RCE vulnerability in SMBv1 due to an improper handling of a specially crafted SMBv1 request. The vulnerability was disclosed to Microsoft by researchers at Airbus’ cybersecurity division.

On June 9, Airbus published a blog post by vulnerability researcher Nicolas Delhaye, detailing their discovery of CVE-2020-1301, which they’ve dubbed SMBLost.

Unlike SMBGhost and SMBleed, SMBLost is more akin to EternalBlue because it impacts SMBv1. However, as Delhaye notes in his blog, SMBLost is “much less harmful” than SMBGhost and EternalBlue due to two mitigating circumstances:

1. SMBLost is post-authentication (valid credentials), whereas SMBGhost and EternalBlue are pre-authentication (no credentials).
2. The presence of a shared partition on the vulnerable SMBv1 server (e.g. “c:\” or “d:\”) is required for exploitation, which Delhaye notes is “less common.”

Airbus provided a proof of concept for SMBLost in their blog, which results in denial of service (DoS) by way of a BSoD.

Image Source: Airbus Cybersecurity

As a caveat, the blog post mentions that using SMBLost to gain RCE “seems conceivable,” but they believe it will be “difficult to make it reliable.” In the case of SMBGhost, a similar situation occurred where the only PoCs to emerge initially were for a DoS and Local Privilege Escalation (LPE). While there is no RCE currently available for SMBLost, it is possible that determined researchers or attackers could find a way to develop a reliable PoC to gain RCE in the near future.

Proof of concept

Both ZecOps and Airbus have published proof-of-concept code for SMBleed and SMBLost. ZecOps published their PoC in their GitHub repository while Airbus shared their PoC as part of their blog post.

Solution

The following versions of Microsoft Windows and Windows Server are affected.

Microsoft released patches for SMBleed and SMBLost as part of their June 2020 Patch Tuesday release. It is also noteworthy that Microsoft provided patches to address SMBLost for Windows 7 and Windows Server 2008, both of which reached the end of their support cycle in January 2020. Tenable strongly recommends applying these patches as soon as possible.

If upgrading is not feasible to address both SMBleed and SMBGhost, Microsoft has recommended disabling SMBv3 compression.

Once upgrading is feasible and patches have been applied, Microsoft recommends removing the SMBv3 workaround.

While the mitigating circumstances make SMBLost less impactful than SMBGhost and EternalBlue, researchers are clearly poking around the SMB protocol, hunting for vulnerable code. Be diligent about applying patches, and if you haven’t already, disable SMBv1 as soon as possible.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

• CVE-2020-1206: SMBleed Blog Post by ZecOps
• CVE-2020-1301: SMBLost Blog Post by Airbus Cybersecurity
• Microsoft Advisory for CVE-2020-1206 (SMBleed)
• Microsoft Advisory for CVE-2020-1301 (SMBLost)
• Microsoft Advisory for CVE-2020-0796 (SMBGhost aka EternalDarkness)
• Tenable Blog Post for CVE-2020-0796

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.