Attacker Value

High

CVE-2020-1206 Windows SMBv3 Client/Server Information Disclosure Vulnerability

Attacker Value

High

(1 user assessed)

Exploitability

Moderate

(1 user assessed)

User Interaction

CVE-2020-1206 Windows SMBv3 Client/Server Information Disclosure Vulnerability

Disclosure Date: June 09, 2020 •

CVE-2020-1206 CVSS v3 Base Score: 7.5

Exploited in the Wild

Reported by gwillcox-r7
View Source Details

Description

An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka ‘Windows SMBv3 Client/Server Information Disclosure Vulnerability’.

Add Assessment

busterb (317)

June 09, 2020 11:49pm UTC (4 years ago)•

Ratings

Attacker Value

High

Exploitability

Medium

Common in enterprise

Technical Analysis

Edit: After writing this @adfoster-r7 pointed out that Zecops has a writeup on exactly how to chain this with SMBGhost. How apropos! https://blog.zecops.com/vulnerabilities/smbleedingghost-writeup-chaining-smbleed-cve-2020-1206-with-smbghost/

Note that if you were already patched against CVE-2020-0796, the current PoCs aren’t going to be impactful to you, so the urgency is lower than if you’re a couple of months out of date. If you’re patching already, no need to panic.

Whenever we see SMB memory corruption leaks, the cry is always ‘oh, if only we had an information leak, we could make this so much more reliable’. Well, assuming someone figures out the details, this could be the information leak folks are looking for to make SMBGhost and other vulnerabilities more reliable to exploit. Not a big deal by itself, but I imagine folks are already trying to figure out how to use this to an advantage. It might not take long given the existence of public SMBGhost PoCs already.

See More &1 replySee Less

busterb (317) June 10, 2020 5:01pm UTC (4 years ago)•

Bumped the value and exploitability ratings here since the PoC got published showing the chain in action. Nice work! https://github.com/ZecOps/CVE-2020-0796-RCE-POC

The kept exploitability medium since there are still a few gotchas to keep in mind, such as it being tough to achieve reliability with > 1 core (when is the last time you bought a computer with 1 core?). You’ll likely see this more for exploiting VMs than, say, your average laptop or enterprise server. On the other hand, none of that prevented mass exploitation of BlueKeep, so be prepared for similar spray-and-pray type campaigns.

Due to the nature of the exploitation, the POC works best for targets running on a computer (or a VM) with a single logical processor. Targets with more than one logical processor running in VirtualBox should be supported as well, but the POC is less reliable in this case.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

microsoft

Products

windows 10 1903,
windows 10 1909,
windows 10 2004,
windows server 2016 1903,
windows server 2016 1909,
windows server 2016 2004

Exploited in the Wild

Reported by:

gwillcox-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: June 14, 2022 9:36pm UTC (2 years ago)

References

Canonical

CVE-2020-1206 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1206)

Miscellaneous

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1206

http://packetstormsecurity.com/files/158053/SMBleed-Uninitialized-Kernel-Memory-Read-Proof-Of-Concept.html

Rapid7

High