Today, Microsoft released a patch for a vulnerability with the worm potential in the SMBv3…
As with SMBGhost, the root of the SMBleed problem lies in the SMB 3.1.1 compression engine, and the bug affects that way, in which protocol handles certain requests. Windows 10 and Windows Server versions 1903, 1909, and 2004 (but not earlier versions) are vulnerable to the problem.
“To exploit this vulnerability on a server, an unauthenticated attacker could send a specially crafted package to the target SMBv3 server. To exploit this vulnerability for a client, an unauthorized attacker must configure the malicious SMBv3 server and convince the user to connect to it”, — said in the official Microsoft security bulletin.
Although patches for SMBleed are already available, Microsoft offers other methods to solve this problem, for example, disabling SMBv3 compression. Researchers also note that it is possible to protect against SMBleed and SMBGhost by blocking TCP port 445, increasing host isolation and disabling SMB 3.1.1 compression. Although researchers still do not recommend applying these methods.
Experts have already published a PoC exploit for SMBleed, but explain that for the correct work of the exploit user needs credentials, as well as access to writing on the shared resource. However, it is also noted that the bug can be used without authentication. So, the experts themselves combined SMBleed with SMBGhost to achieve RCE (Remote Code Execution).
The exploit for this scenario was also posted in the public domain, and soon experts plan to publish technical details of such an attack. In the meantime, a demonstration of the attack can be seen below.
Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…
Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…
Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…
Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…
News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…
Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…