Login Sign Up

CVE-2020-24772

8.8 HIGH

📋 TL;DR

This vulnerability allows attackers to force the Clash for Windows client to open malicious SMB shares via crafted URLs, triggering NTLM authentication that can be relayed for code execution or captured for hash cracking. It affects users of Dreamacro Clash for Windows version 0.11.4. Attackers can exploit this through malicious websites visited by vulnerable users.

💻 Affected Systems

Products:
  • Dreamacro Clash for Windows
Versions: v0.11.4
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user interaction (visiting malicious website) and Windows SMB client functionality.

📦 What is this software?

Clash by Clash Project

View all CVEs affecting Clash →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via NTLM relay attacks leading to remote code execution, domain privilege escalation, or credential theft enabling lateral movement.

🟠

Likely Case

Credential theft via NTLM hash capture leading to unauthorized access to network resources, or limited code execution if NTLM relay succeeds.

🟢

If Mitigated

No impact if proper network segmentation, SMB restrictions, and patched software are in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user to visit malicious website; tools like Responder can automate NTLM relay/capture.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.11.5 and later

Vendor Advisory: https://github.com/Dreamacro/clash/issues/910

Restart Required: Yes

Instructions:

1. Download latest version from official GitHub repository. 2. Uninstall old version. 3. Install new version. 4. Restart system.

🔧 Temporary Workarounds

Disable SMB client via Windows Firewall

windows

Block outbound SMB connections to prevent NTLM authentication to untrusted shares.

New-NetFirewallRule -DisplayName "Block SMB Outbound" -Direction Outbound -Protocol TCP -RemotePort 445 -Action Block

Disable WebRTC in browser

all

Prevent malicious websites from triggering Clash via crafted URLs.

🧯 If You Can't Patch

  • Disable or restrict Clash for Windows application execution via application control policies.
  • Implement network segmentation to isolate SMB traffic and use SMB signing to prevent relay attacks.

🔍 How to Verify

Check if Vulnerable:

Check Clash for Windows version in application settings or About dialog; version 0.11.4 is vulnerable.

Check Version:

Not applicable via command line; check through application GUI.

Verify Fix Applied:

Confirm version is 0.11.5 or higher in application settings.

📡 Detection & Monitoring

Log Indicators:

  • Windows Event Logs showing SMB authentication attempts from Clash process
  • Unexpected outbound SMB connections from user workstations

Network Indicators:

  • Outbound SMB traffic (TCP/445) from workstations to untrusted IPs
  • NTLM authentication requests from Clash user agents

SIEM Query:

source="windows" event_id=4624 logon_type=3 process_name="clash.exe" OR destination_port=445 src_ip=workstation_ip

📊 Metadata

CVE ID: CVE-2020-24772
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-346
Published: March 21, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24772, you might also want to check these:

CVE-2023-25366 9.8

This vulnerability in Siglent SDS oscilloscopes allows attackers to retrieve the web interface passw...

Same vulnerability type (CWE-346)
CVE-2024-8487 9.8

This CVE describes a Cross-Origin Resource Sharing (CORS) misconfiguration in modelscope/agentscope ...

Same vulnerability type (CWE-346)
CVE-2026-2790 9.8

This CVE describes a same-origin policy bypass vulnerability in Firefox's JAR (Java Archive) network...

Same vulnerability type (CWE-346)