{"id":2691,"date":"2020-06-15T08:00:00","date_gmt":"2020-06-15T06:00:00","guid":{"rendered":"https:\/\/xopero.com\/blog\/?p=2691"},"modified":"2023-08-16T15:04:57","modified_gmt":"2023-08-16T13:04:57","slug":"smbleed-vulnerability-allows-an-attacker-to-leak-kernel-memory","status":"publish","type":"post","link":"https:\/\/xopero.com\/blog\/en\/smbleed-vulnerability-allows-an-attacker-to-leak-kernel-memory\/","title":{"rendered":"SMBleed vulnerability allows an attacker to leak kernel memory"},"content":{"rendered":"\n

Welcome to the next episode of the Xopero Security Center<\/a>! There is a new SMB protocol vulnerability called SMBleed and tracked as CVE-2020-1206 which allows an attacker to leak kernel memory remotely, without any authentication. How can it be exploited? Check below.<\/p>\n\n\n\n

<\/div>\n\n\n\n\n\n\n\n<\/a>\n\n\n

SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol<\/h2>\n\n\n

Researchers uncovered a new critical vulnerability affecting the Server Message Block (SMB) protocol. It could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed „wormable” bug, the flaw can be exploited to achieve remote code execution attacks.<\/p>\n\n\n\n

Dubbed „SMBleed” (CVE-2020-1206), the flaw resides in SMB’s decompression function – the same function as with SMBGhost or EternalDarkness bug. And just to remind you – SMBGhost was deemed so serious that it received a maximum severity rating score of 10.<\/p>\n\n\n\n

The SMBleed vulnerability impacts Windows 10 versions 1903 and 1909, for which Microsoft last week released security patches. <\/p>\n\n\n\n

The SMBleed flaw stems from the way the decompression function in question („Srv2DecompressData”) handles specially crafted message requests (e.g., SMB2 WRITE) sent to a targeted SMBv3 Server, allowing an attacker to read uninitialized kernel memory and make modifications to the compression function.<\/p>\n\n\n\n

„An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it\u201d – said Microsoft in its advisory.<\/p>\n\n\n\n

Worse, SMBleed can be chained with SMBGhost on unpatched Windows 10 systems to achieve remote code execution.<\/p>\n\n\n\n

To mitigate the vulnerability, it’s recommended that home and business users install the latest Windows updates as soon as possible. For systems where the patch is not applicable, it’s advised to block port 445 to prevent lateral movement and remote exploitation.<\/p>\n\n\n\n

Read more<\/a><\/p>\n\n\n\n

\"\"<\/a><\/figure><\/div>\n\n\n\n
<\/div>\n\n\n\n<\/a>\n\n\n

Plug-and-Play Protocol vulnerability is a serious threat for even a few billions of devices<\/strong><\/h2>\n\n\n

The flaw was named „CallStranger\u201d (CVE-2020-12695) – a very accurate name, it is based on a security vulnerability in a protocol that allows the devices to communicate with each other. A wide range of plug-and-play products is impacted, including Xbox gaming consoles, printers, routers, switches, and cameras – devices from over 20 vendors, including Microsoft, Cisco, Canon, HP, and Philips are vulnerable. The full list of affected devices can be found here.<\/a><\/p>\n\n\n\n

Attackers can not only launch DDoS attacks but also scan internal ports for other similarly vulnerable devices on local networks.<\/p>\n\n\n\n

The flaw discovered by Yunus \u00c7ad\u0131rc\u0131, a Cyber Security Senior Manager at EY Turkey, is associated with an UPnP function called SUBSCRIBE that allows devices to monitor the status of other network-connected UPnP services and devices. The problem with UPnP is that devices running the protocol implicitly trust requests from other devices on the local network without any prior authentication.<\/p>\n\n\n

Anatomy of an attack<\/h6>\n\n\n

Attackers can take control of the function via specifically crafted SUBSCRIBE requests over HTTP – the 'Callback’ header value in the UPnP SUBSCRIBE function is not checked. Hackers could stuff their request with a large volume of target URLs across multiple vulnerable devices, overwhelming their target’s resources which results in a denial of service.<\/p>\n\n\n\n

Attackers could also steal data with UPnP. Connected media devices often reveal unique identifiers. Printers may allow monitoring of print status, and routers may give detailed information about the names and addresses of devices on the network. The severity of this threat depends on the device. <\/p>\n\n\n\n

Open Connectivity Foundation (OCF) updated the UPnP protocol specification on April 17 and has notified vendors and ISPs about the need to upgrade to the new specification. However, because the flaw lies at the protocol level, it could take a long time before all vendors address the issue.<\/p>\n\n\n\n

Read more: CallStranger.com<\/a> | CERT Coordination Center<\/a> | Dark Reading<\/a><\/p>\n\n\n\n

<\/div>\n\n\n\n<\/a>\n\n\n

Google is indexing the phone numbers of WhatsApp users raising privacy concerns<\/strong><\/h2>\n\n\n

Google is indexing the phone numbers of WhatsApp users that could be abused by threat actors for malicious activities. <\/p>\n\n\n\n

Earlier this year, the Deutsche Welle journalist Jordan Wildon, noticed that invite links for WhatsApp and Telegram groups that may be intended for private access were available through search engines. These links could be abused by threat actors to join the group.<\/p>\n\n\n\n

Now security researcher Athul Jayaram discovered a data leak with WhatsApp\u2019s \u2018wa.me\u2019 domain that was revealing contact phone numbers on Google. The \u2018wa.me\u2019 domain is used to host \u2018click to chat\u2018 links that allow users to start a chat with someone without having their phone number saved in the phone\u2019s address book.<\/p>\n\n\n\n

To create the click to chat links, use https:\/\/wa.me\/<number> which is a full phone number in international format. The \u201cwa.me\u201d or \u201capi.whatsapp.com\u201d domains don\u2019t\u2019 prevent search engines from crawling phone numbers on the website allowing any link like \u201chttps:\/\/wa.me\/\u201d to get indexed by Google.<\/p>\n\n\n\n

Even if Google Search only revealed the phone numbers and not the identities of associated users, ill-intentioned attackers could be able to see users\u2019 profile pictures on WhatsApp and performing a reverse-image search the user\u2019s profile picture to gather additional info on the potential victim (i.e. mining social media accounts where the victim use the same profile picture). It might allow attackers to message and call them, sell their numbers to marketers, spammers and scammers. <\/p>\n\n\n\n

Read more<\/a><\/p>\n\n\n\n

<\/div>\n\n\n\n<\/a>\n\n\n

CrossTalk a younger brother<\/em> of Spectre and Meltdown<\/strong><\/h2>\n\n\n

The newly discovered vulnerability can be used to leak data across Intel CPU cores. This is an example of another type of MDS (microarchitectural data sampling) attack. It enables attacker-controlled code executing on one CPU core to leak sensitive data from other software running on a different core. During the attack hacker targets user data while in a „transient” state, as it’s being processed by the CPU’s Line Fill Buffer (LBF).<\/p>\n\n\n\n

Researchers from the Vrije University’s Systems and Network Security Group (Netherlands) have been working with Intel to develop a patch since September 2018. You probably ask yourself why it took almost 21 months\u2026 For the most part, this is because of the complexity of the issue. In the meantime, Intel has already made significant changes to the hardware design of its CPUs. Most of its recent products are not vulnerable to this attack. OK, and what with the older Intel CPU lines? Intel has released a microcode update (Intel-SA-00320) to patch the bug a few days ago. You can find detailed information here<\/a>.<\/p>\n\n\n\n

\n