Attacker Value
High
(2 users assessed)
Exploitability
Moderate
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
11

CVE-2020-17087 Windows Kernel local privilege escalation 0day

Disclosure Date: November 11, 2020
Exploited in the Wild
Reported by zeroSteiner
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated
Initial Access
Techniques
Validation
Validated
Validated

Description

CVE-2020-17087 is a pool-based buffer overflow vulnerability in the Windows Kernel Cryptography Driver (cng.sys). The vulnerability arises from input/output controller (IOCTL) 0x390400 processing and could allow a local attacker to escalate privileges, including for sandbox escape. The vulnerability was initially released as a zero-day by Google’s Project Zero team; it was patched on November 10, 2020, as part of Microsoft’s November 2020 Patch Tuesday release.

Add Assessment

General Information

Vendors

  • Microsoft

Products

  • Windows,
  • Windows Server,
  • Windows 10 Version 1909 for 32-bit Systems,
  • Windows 10 Version 1909 for x64-based Systems,
  • Windows 10 Version 1909 for ARM64-based Systems,
  • Windows Server, version 1909 (Server Core installation),
  • Windows 10 Version 1903 for 32-bit Systems,
  • Windows 10 Version 1903 for x64-based Systems,
  • Windows 10 Version 1903 for ARM64-based Systems,
  • Windows Server, version 1903 (Server Core installation),
  • Windows 10 Version 2004 for 32-bit Systems,
  • Windows 10 Version 2004 for ARM64-based Systems,
  • Windows 10 Version 2004 for x64-based Systems,
  • Windows Server, version 2004 (Server Core installation),
  • Windows 10 Version 20H2 for x64-based Systems,
  • Windows 10 Version 20H2 for 32-bit Systems,
  • Windows 10 Version 20H2 for ARM64-based Systems,
  • Windows Server, version 20H2 (Server Core Installation)

Additional Info

Technical Analysis

Update: CVE-2020-17087 was patched on November 10, 2020, as part of Microsoft’s November Patch Tuesday release.

Description

On October 30, 2020, Google’s Project Zero team publicly disclosed CVE-2020-17087, a zero-day vulnerability in the Windows Kernel Cryptography Driver (cng.sys). The vulnerability arises from input/output controller (IOCTL) 0x390400 processing and could allow a local attacker to escalate privileges, including for sandbox escape. The vulnerability is unpatched as of October 30—a patch is currently expected on November 10, 2020 as part of Microsoft’s November Patch Tuesday release.

Project Zero researchers said in their disclosure that Google has seen evidence of the zero day’s being used in targeted attacks in the wild. Project Zero lead Ben Hawkes said on Twitter that CVE-2020-17087 was used in conjunction with CVE-2020-15999, another zero-day in Google Chrome, to form an exploit chain that allowed attackers to escape Chrome’s sandbox to execute code on the underlying (Windows) operating system.

Affected products

In their initial report on October 22, 2020, Mateusz Jurczyk and Sergei Glazunov of Project Zero said they’d verified that an up-to-date build of Windows 10 1903 (64-bit) was vulnerable, but that they believed that the vulnerability had been present since at least Windows 7.

Rapid7 analysis

An unpatched zero-day in the Windows kernel affecting a huge swath of Windows users and seeing in-the-wild exploitation is undoubtedly a concern. Both rich technical detail and PoC code are readily available to the public, including researchers and attackers looking to build exploit chains of their own. Rapid7 researchers were also able to easily reproduce the crash on Windows 10 (v1909 build 18362). However, as Metasploit research lead Spencer McIntyre points out in his assessment of CVE-2020-17087, the vulnerability’s value to attackers is high, but its exploitability is at least somewhat more limited than it might appear at first glance. Creating a full exploit chain would require a primitive (i.e., an info leak) to turn the crash into code execution.

It’s possible we’ll see PoC exploit code quickly that extends the Project Zero researchers’ work and enables broader-scale attacks than the targeted exploitation Google disclosed to Microsoft earlier this month. It’s also possible, however, that the difficulty of reliably exploiting heap corruption vulnerabilities will slow down at-scale attacker capabilities until Microsoft releases a patch.

References