zeroSteiner's assessment of CVE-2020-1464

Description

A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files.
In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded.
The update addresses the vulnerability by correcting how Windows validates file signatures.

Add Assessment

zeroSteiner (340)

August 11, 2020 9:33pm UTC (4 years ago)•Edited 4 years ago

Ratings

Attacker Value

Low

Exploitability

Medium

Common in enterprise Vulnerable in default configuration No useful access

Technical Analysis

A vulnerability exists within Windows that can allow file signature validation to be bypassed. This would allow an attacker to load and execute PE files without having signed them, possibly masquerading as a legitimate signature. This would be useful if the system the attacker is on requires signatures for all files or if the attacker wanted to load a library into a process where signatures are enforced.

This would not grant elevated privileges without being combined with an additional primitive.

While this is being actively exploited in the wild, at this time there are few public details on the vulnerability.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.5 Medium

Impact Score:

3.6

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

High

Availability (A):

None

General Information

Offensive Application

post

Utility Class

other

Ports

Unknown

Vulnerable Versions

Windows 10 Version 1803 publication

Windows 10 Version 1809 publication

Windows Server 2019 publication

Windows Server 2019 (Server Core installation) publication

Windows 10 Version 1909 publication

Windows Server, version 1909 (Server Core installation) publication

Windows 10 Version 1709 for 32-bit Systems publication

Windows 10 Version 1709 publication

Windows 10 Version 1903 for 32-bit Systems publication

Windows 10 Version 1903 for x64-based Systems publication

Windows 10 Version 1903 for ARM64-based Systems publication

Windows Server, version 1903 (Server Core installation) publication

Windows 10 Version 2004 publication

Windows Server version 2004 publication

Windows 10 Version 1507 publication

Windows 10 Version 1607 publication

Windows Server 2016 publication

Windows Server 2016 (Server Core installation) publication

Windows 7 publication

Windows 7 Service Pack 1 publication

Windows 8.1 publication

Windows Server 2008 Service Pack 2 publication

Windows Server 2008 Service Pack 2 (Server Core installation) publication

Windows Server 2008 Service Pack 2 publication

Windows Server 2008 R2 Service Pack 1 publication

Windows Server 2008 R2 Service Pack 1 (Server Core installation) publication

Windows Server 2012 publication

Windows Server 2012 (Server Core installation) publication

Windows Server 2012 R2 publication

Windows Server 2012 R2 (Server Core installation) publication

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

microsoft

Products

windows 10 -,
windows 10 1607,
windows 10 1709,
windows 10 1803,
windows 10 1809,
windows 10 1903,
windows 10 1909,
windows 10 2004,
windows 7 -,
windows 8.1 -,
windows rt 8.1 -,
windows server 2008 -,
windows server 2008 r2,
windows server 2012 -,
windows server 2012 r2,
windows server 2016 -,
windows server 2016 1903,
windows server 2016 1909,
windows server 2016 2004,
windows server 2019 -

Exploited in the Wild

Reported by:

zeroSteiner

Reported: August 28, 2020 5:46pm UTC (4 years ago)

gwillcox-r7 indicated source as Government or Industry Alert (https://us-cert.cisa.gov/ncas/current-activity/2020/08/11/microsoft-addresses-rce-and-spoofing-vulnerabilities-under-active)

Reported: November 03, 2021 4:00pm UTC (3 years ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:15am UTC (2 weeks ago)

References

Canonical

CVE-2020-1464 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1464)

Miscellaneous

https://medium.com/@TalBeerySec/glueball-the-story-of-cve-2020-1464-50091a1f98bd

https://krebsonsecurity.com/2020/08/microsoft-put-off-fixing-zero-day-for-2-years

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1464

https://blog.virustotal.com/2019/01/distribution-of-malicious-jar-appended.html

https://medium.com/%40TalBeerySec/glueball-the-story-of-cve-2020-1464-50091a1f98bd

https://krebsonsecurity.com/2020/08/microsoft-put-off-fixing-zero-day-for-2-years/

Rapid7

Low

CVE-2020-1464

Low

Moderate

None

Low

Local

CVE-2020-1464

Description