CVE-2020-1206

Vulnerability

CVE-2020-1206 is an information disclosure vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol. The bug resides in how the SMBv3 client and server components handle specially crafted requests, leading to a kernel pool memory leak. This affects all supported versions of Windows at the time of disclosure, including Windows 10, Windows Server 2019, and earlier releases, as detailed in the official advisory [1]. The vulnerability is reachable when a system is configured to use SMBv3 compression (enabled by default in most configurations).

Exploitation

An unauthenticated attacker can trigger the vulnerability remotely over the network by sending a maliciously crafted SMBv3 packet to a target server or client system. No authentication or user interaction is required. Proof-of-concept code published by security researcher ZecOps demonstrates how an attacker can exploit this to read uninitialized kernel memory [1]. The attack does not require any prior access and can be executed from a standard network position.

Impact

Successful exploitation allows an attacker to read sensitive information from kernel memory, such as credentials, cryptographic keys, or other data that could be used to further compromise the system. This is a pure information disclosure (CIA — Confidentiality impact) and does not directly enable code execution or system corruption. However, the leaked data may facilitate subsequent attacks, such as privilege escalation or lateral movement.

Mitigation

Microsoft released a security update on June 9, 2020 (Patch Tuesday) that addresses CVE-2020-1206 [1]. All users should apply the update from Windows Update or Microsoft Update Catalog immediately. As a workaround, disabling SMBv3 compression on SMB servers can mitigate the risk, though it may impact performance. No workaround is available for client systems. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the given references.