Attacker Value
Low
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Local
1

CVE-2020-1241

Disclosure Date: June 09, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters.To exploit the vulnerability, a locally-authenticated attacker could attempt to run a specially crafted application on a targeted system.The update addresses the vulnerability by correcting how Windows Kernel handles parameter sanitization., aka ‘Windows Kernel Security Feature Bypass Vulnerability’.

Add Assessment

1
Ratings
Technical Analysis

A vulnerability exists with the Windows kernel that can be used to bypass the NULL page mitigation feature that prevents users from allocating the memory that exists at the literal address 0. This is required for exploiting the class of memory corruption vulnerabilities known as NULL Page Dereferece or NULL Pointer Derefernce. This vulnerability would not be useful on it’s own but rather would make exploitation of another vulnerability practical.

In order to leverage this vulnerability, Intel’s SGX functionality must be available on the host. From my testing, the required functionality does not appear to be available from within virtual machines, meaning that a vulnerable environment would likely have to run on hardware. The vulnerability exists within the implementation of the NtCreateEnclave.

The function NtCreateEnclave is exposed through ntdll, was added in Windows 10 v1511 and uses the following signature (according to Process Hacker):

NTSYSAPI
NTSTATUS
NTAPI
NtCreateEnclave(
    _In_ HANDLE ProcessHandle,
    _Inout_ PVOID* BaseAddress,
    _In_ ULONG_PTR ZeroBits,
    _In_ SIZE_T Size,
    _In_ SIZE_T InitialCommitment,
    _In_ ULONG EnclaveType,
    _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation,
    _In_ ULONG EnclaveInformationLength,
    _Out_opt_ PULONG EnclaveError
    );

NtCreateEnclave will return 0xc00000bb (STATUS_NOT_SUPPORTED) if the necessary SGX capabilities are unavailable, making identification relatively easy.

I flag this as “No useful access” because it’s most valuable as an exploit primitive, and does not provide any access or information on it’s on.

References: https://twitter.com/waleedassar/status/1270550282695585792

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • windows 10 1607,
  • windows 10 1709,
  • windows 10 1803,
  • windows 10 1809,
  • windows 10 1903,
  • windows 10 1909,
  • windows 10 2004,
  • windows server 2016 -,
  • windows server 2016 1803,
  • windows server 2016 1903,
  • windows server 2016 1909,
  • windows server 2016 2004,
  • windows server 2019 -

Additional Info

Technical Analysis