Attacker Value
Low
(3 users assessed)
Exploitability
High
(3 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Local
1

ADV200006 - Type 1 Font Parsing Remote Code Execution Vulnerability in Windows

Disclosure Date: April 15, 2020
CVE-2020-0938 CVSS v3 Base Score: 7.8
Exploited in the Wild
Reported by gwillcox-r7
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely, aka ‘Adobe Font Manager Library Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2020-1020.

Add Assessment

6
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Common in enterpriseVulnerable in default configurationNo useful access
Technical Analysis

A fairly standard policy of disabling preview windows is a good mitigation for this vulnerability. Since this appears to have been found in the wild, but I’m lowering this from original assessment, due to it being patched in the latest April 2020 PT, and there wasn’t a particular rush to fix it out of band.

Tencent has an analysis of the vulnerabilities based on the PT diffs: https://mp.weixin.qq.com/s/RvTZWvcXiXsI7xB6L9RWIg

From the MSRC advisory, this has limited impact on Windows 10.

For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities.

Log in to Add Reply
3
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Common in enterpriseVulnerable in default configurationNo useful access
Technical Analysis

Less impact on systems running windows 10 1703 and later, as all fonts are processed in user-mode app-container sandbox and successful exploitation gives limited privileges and capabilities within the sandbox.

Patch: Released by Microsoft.

Log in to Add Reply
1
Technical Analysis

Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
exploit
Utility Class
privesc
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server version 1803 (Core Installation)
Windows Server 2019
Windows Server 2019 (Core installation)
Windows Server 2016
Windows Server 2016 (Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Core installation)
Windows Server 2012
Windows Server 2012 (Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows Server, version 1909 (Server Core installation)
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server, version 1903 (Server Core installation)
Prerequisites
Unknown
Discovered By
Google Project Zero and Google Threat Analysis Group
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • Microsoft

Products

  • Windows,
  • Windows Server,
  • Windows 10 Version 1909 for 32-bit Systems,
  • Windows 10 Version 1909 for x64-based Systems,
  • Windows 10 Version 1909 for ARM64-based Systems,
  • Windows Server, version 1909 (Server Core installation),
  • Windows 10 Version 1903 for 32-bit Systems,
  • Windows 10 Version 1903 for x64-based Systems,
  • Windows 10 Version 1903 for ARM64-based Systems,
  • Windows Server, version 1903 (Server Core installation)

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis