Attacker Value
High
(2 users assessed)
Exploitability
Moderate
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
13

CVE-2020-17087 Windows Kernel local privilege escalation 0day

Disclosure Date: November 11, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated
Initial Access
Techniques
Validation
Validated
Validated

Description

Windows Kernel Local Elevation of Privilege Vulnerability

Add Assessment

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • windows 10 -,
  • windows 10 1607,
  • windows 10 1803,
  • windows 10 1809,
  • windows 10 1903,
  • windows 10 1909,
  • windows 10 2004,
  • windows 10 20h2,
  • windows 7 -,
  • windows 8.1 -,
  • windows rt 8.1 -,
  • windows server 2008 -,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016 -,
  • windows server 2016 1903,
  • windows server 2016 1909,
  • windows server 2016 2004,
  • windows server 2016 20h2,
  • windows server 2019 -

Additional Info

Technical Analysis

Update: CVE-2020-17087 was patched on November 10, 2020, as part of Microsoft’s November Patch Tuesday release.

Description

On October 30, 2020, Google’s Project Zero team publicly disclosed CVE-2020-17087, a zero-day vulnerability in the Windows Kernel Cryptography Driver (cng.sys). The vulnerability arises from input/output controller (IOCTL) 0x390400 processing and could allow a local attacker to escalate privileges, including for sandbox escape. The vulnerability is unpatched as of October 30—a patch is currently expected on November 10, 2020 as part of Microsoft’s November Patch Tuesday release.

Project Zero researchers said in their disclosure that Google has seen evidence of the zero day’s being used in targeted attacks in the wild. Project Zero lead Ben Hawkes said on Twitter that CVE-2020-17087 was used in conjunction with CVE-2020-15999, another zero-day in Google Chrome, to form an exploit chain that allowed attackers to escape Chrome’s sandbox to execute code on the underlying (Windows) operating system.

Affected products

In their initial report on October 22, 2020, Mateusz Jurczyk and Sergei Glazunov of Project Zero said they’d verified that an up-to-date build of Windows 10 1903 (64-bit) was vulnerable, but that they believed that the vulnerability had been present since at least Windows 7.

Rapid7 analysis

An unpatched zero-day in the Windows kernel affecting a huge swath of Windows users and seeing in-the-wild exploitation is undoubtedly a concern. Both rich technical detail and PoC code are readily available to the public, including researchers and attackers looking to build exploit chains of their own. Rapid7 researchers were also able to easily reproduce the crash on Windows 10 (v1909 build 18362). However, as Metasploit research lead Spencer McIntyre points out in his assessment of CVE-2020-17087, the vulnerability’s value to attackers is high, but its exploitability is at least somewhat more limited than it might appear at first glance. Creating a full exploit chain would require a primitive (i.e., an info leak) to turn the crash into code execution.

It’s possible we’ll see PoC exploit code quickly that extends the Project Zero researchers’ work and enables broader-scale attacks than the targeted exploitation Google disclosed to Microsoft earlier this month. It’s also possible, however, that the difficulty of reliably exploiting heap corruption vulnerabilities will slow down at-scale attacker capabilities until Microsoft releases a patch.

References