Remote Code Execution SMBGhost for Microsoft SMBv3 now being chained with SMBleed
CVE-2020-0796
CVE-2020-1206
Sources
https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/
https://nvd.nist.gov/vuln/detail/CVE-2020-0796
https://nvd.nist.gov/vuln/detail/CVE-2020-1206
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005
Risks
The CVE-2020-1206 (SMBleed) vulnerability allows an attacker to leak information remotely.
This can be achieved with the use of a command shell gained through CVE-2020-0796 (SMBGhost) allowing an attacker to perform the second attack to leak information.
Description
A Proof-of-Concept has been released (by the ZecOPS research team) on how to enable an information disclosure vulnerability within the SMBv3 protocol, impacting Windows servers or clients.
Earlier this year, the CVE-2020-0796 was discovered which could allow remote code execution due to the way Microsoft Server Message Block 3.1.1 handled it's connections that use compression. Within the same function Srv2DecompressData in the SMB server driver a new vulnerability was discovered. To exploit CVE-2020-1206 an attacker would need credentials and a writable share. Due to the bug affecting every message it could potentially be exploited without authentication. This leads to the impacted systems leaking kernel memory information.
Patches were released to resolve these vulnerabilities.
Recommended Actions
CERT.be recommends installing all latest updates for the affected Windows versions, they can be found on the official Microsoft Portal. Please find the appropriate update for the Remote Code Execution here and the Information Disclosure vulnerability here.