SMB… Ghost then Bleed Now

SMBleed Vulnerability

Cybersecurity researchers today uncover a new critical vulnerability affecting the Server Message Block (SMB) protocol that could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed “wormable” bug, the flaw can be exploited to achieve remote code execution attacks.


Dubbed “SMBleed” (CVE-2020-1206) by cybersecurity firm ZecOps, the flaw resides in SMB’s decompression function — the same function as with SMBGhost or EternalDarkness bug (CVE-2020-0796), which came to light three months ago, potentially opening vulnerable Windows systems to malware attacks that can propagate across networks.

The newly discovered vulnerability impacts Windows 10 versions 1903 and 1909, for which Microsoft today released security patches as part of its monthly Patch Tuesday updates for June.

SMB, which runs over TCP port 445, is a network protocol that provides the basis for file sharing, network browsing, printing services, and interprocess communication over a network.(“Srv2DecompressData”) handles specially crafted message requests (e.g., SMB2 WRITE) sent to a targeted SMBv3 Server, allowing an attacker to read uninitialized kernel memory and make modifications to the compression function.

“The message structure contains fields such as the amount of bytes to write and flags, followed by a variable-length buffer,” the researchers said. “That’s perfect for exploiting the bug since we can craft a message such that we specify the header, but the variable-length buffer contains uninitialized data.

“An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server,” Microsoft said in its advisory.


“To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it,” Microsoft added.

SMBleed can be chained with SMBGhost on unpatched Windows 10 systems to achieve remote code execution.

To mitigate the vulnerability, it’s recommended that home and business users install the latest Windows updates as soon as possible.


For systems where the patch is not applicable, it’s advised to block port 445 to prevent lateral movement and remote exploitation.


Microsoft’s security guidance addressing SMBleed and SMBGhost in Windows 10 version 1909 and 1903 and Server Core for the same versions can be found here and here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s