Microsoft has released a patch for a critical vulnerability affecting Server Message Block (SMB) protocol. This new vulnerability can be exploited to allow an attacker to leak information from kernel memory remotely and can be combined with additional exploits, such as previously released “SMBGhost” exploit, to further compromise the system.
Technical detail and additional information
What is the threat?
Security researchers at ZecOps produced a PoC that exploits the Srv2DecompressData function used by the SMB protocol to decompress data. By utilizing the SMB2 Write function, which allows for specially crafted packets to be sent over SMB, an attacker can create a packet that will cause a leakage of information from kernel memory when received. Their research indicates that Windows 10 versions 1903, 1909 and 2004 are affected by the vulnerability.
Why is this noteworthy?
SMB protocol is commonly used to share files across the network. Any device, both server and end user, that uses this vulnerable SMB version is susceptible to this exploit. Additionally, any systems that failed to implement the previously released patch for the SMBGhost exploit are vulnerable to both attacks which can lead to a threat actor obtaining remote code execution on the system.
What is the exposure or risk?
By sending specially crafted packets to a target server, an attacker can utilize this exploit to obtain information about the system, which can be used to further compromise the system. Although the SMBGhost exploit is continuously mentioned in this light, it is not the only exploit that can be combined with the new vulnerability. Although not seen in the wild, it is theoretically possible to combine this attack vector with any other exploit that makes use of information stored in kernel memory.
What are the recommendations?
SKOUT recommends installing the patch released by Microsoft that addresses the vulnerability. If patching is not applicable on the vulnerable system, SKOUT recommends blocking port 445 to prevent lateral movement across the network and successful exploitation of the vulnerability.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.