cbcvebase.
CVE-2020-1206
published 2020-06-09

CVE-2020-1206: An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows…

PriorityP274high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
9.54%
94.8th percentile
An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Information Disclosure Vulnerability'.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_version_1903_for_32-bit_systems
microsoftwindows_10_version_1903_for_arm64-based_systems
microsoftwindows_10_version_1903_for_x64-based_systems
microsoftwindows_10_version_1909_for_32-bit_systems
microsoftwindows_10_version_1909_for_arm64-based_systems
microsoftwindows_10_version_1909_for_x64-based_systems
microsoftwindows_10_version_2004_for_32-bit_systems
microsoftwindows_10_version_2004_for_arm64-based_systems
microsoftwindows_10_version_2004_for_x64-based_systems
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_version_1903_for_32-bit_systems
msrcwindows_10_version_1903_for_arm64-based_systems
msrcwindows_10_version_1903_for_x64-based_systems
msrcwindows_10_version_1909_for_32-bit_systems
msrcwindows_10_version_1909_for_arm64-based_systems
msrcwindows_10_version_1909_for_x64-based_systems
msrcwindows_10_version_2004_for_32-bit_systems
msrcwindows_10_version_2004_for_arm64-based_systems
msrcwindows_10_version_2004_for_x64-based_systems
msrcwindows_server_version_1903

Detection & IOCsextracted from sources · hover to see the quote

port445
registryHKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\DisableCompression
other3523ca04-a12d-4b40-8837-1a1d28ef96de
otherd3a2f24a-ddc6-4548-9b3d-470e70dbcaab
otherfb30ee05-4a35-45f7-9a0a-829aec7e47d9
yara
rule HKTL_NET_GUID_CVE_2020_1206_POC {
  meta:
    description = "Detects .NET red/black-team tools via typelibguid"
    reference = "https://github.com/ZecOps/CVE-2020-1206-POC"
    author = "Arnim Rupp"
    date = "2021-01-21"
  strings:
    $typelibguid0 = "3523ca04-a12d-4b40-8837-1a1d28ef96de" ascii nocase wide
    $typelibguid1 = "d3a2f24a-ddc6-4548-9b3d-470e70dbcaab" ascii nocase wide
    $typelibguid2 = "fb30ee05-4a35-45f7-9a0a-829aec7e47d9" ascii nocase wide
  condition:
    (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
  • Exploitation can be unauthenticated against SMBv3 servers via a specially crafted packet, or against clients by luring them to connect to a malicious SMBv3 server. Detect unexpected inbound SMBv3 connections on TCP/445 from external sources.
  • Check Point IPS blade signature name for this CVE can be used as a reference detection label: 'Microsoft Windows SMBv3 Client/Server Information Disclosure (CVE-2020-1206)'.
  • The YARA rule targets PE files (.NET) containing any of three specific typelibguids associated with the ZecOps CVE-2020-1206 PoC tool. Hunt for these GUIDs in PE binaries on disk and in memory.
  • ·The workaround (disabling SMBv3 compression via registry) only protects SMBv3 servers, not SMB clients. Client-side protection requires blocking SMB traffic at the network perimeter.
  • ·Only Windows 10 version 1903 and later are affected; older Windows versions do not support SMBv3.1.1 compression and are not vulnerable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
vendor_msrc8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.