Attacker Value
Low
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Local
1

CVE-2020-1241

Disclosure Date: June 09, 2020
CVE-2020-1241 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A security feature bypass vulnerability exists when Windows Kernel fails to properly sanitize certain parameters.To exploit the vulnerability, a locally-authenticated attacker could attempt to run a specially crafted application on a targeted system.The update addresses the vulnerability by correcting how Windows Kernel handles parameter sanitization., aka ‘Windows Kernel Security Feature Bypass Vulnerability’.

Add Assessment

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Common in enterpriseEasy to weaponizeUnauthenticatedNo useful access
Technical Analysis

A vulnerability exists with the Windows kernel that can be used to bypass the NULL page mitigation feature that prevents users from allocating the memory that exists at the literal address 0. This is required for exploiting the class of memory corruption vulnerabilities known as NULL Page Dereferece or NULL Pointer Derefernce. This vulnerability would not be useful on it’s own but rather would make exploitation of another vulnerability practical.

In order to leverage this vulnerability, Intel’s SGX functionality must be available on the host. From my testing, the required functionality does not appear to be available from within virtual machines, meaning that a vulnerable environment would likely have to run on hardware. The vulnerability exists within the implementation of the NtCreateEnclave.

The function NtCreateEnclave is exposed through ntdll, was added in Windows 10 v1511 and uses the following signature (according to Process Hacker):

NTSYSAPI
NTSTATUS
NTAPI
NtCreateEnclave(
    _In_ HANDLE ProcessHandle,
    _Inout_ PVOID* BaseAddress,
    _In_ ULONG_PTR ZeroBits,
    _In_ SIZE_T Size,
    _In_ SIZE_T InitialCommitment,
    _In_ ULONG EnclaveType,
    _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation,
    _In_ ULONG EnclaveInformationLength,
    _Out_opt_ PULONG EnclaveError
    );

NtCreateEnclave will return 0xc00000bb (STATUS_NOT_SUPPORTED) if the necessary SGX capabilities are unavailable, making identification relatively easy.

I flag this as “No useful access” because it’s most valuable as an exploit primitive, and does not provide any access or information on it’s on.

References: https://twitter.com/waleedassar/status/1270550282695585792

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows Server version 1803 (Core Installation)
Windows Server 2019
Windows Server 2019 (Core installation)
Windows Server 2016
Windows Server 2016 (Core installation)
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1909 (Server Core installation)
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 2004 for x64-based Systems
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • windows 10 1607,
  • windows 10 1709,
  • windows 10 1803,
  • windows 10 1809,
  • windows 10 1903,
  • windows 10 1909,
  • windows 10 2004,
  • windows server 2016 -,
  • windows server 2016 1803,
  • windows server 2016 1903,
  • windows server 2016 1909,
  • windows server 2016 2004,
  • windows server 2019 -

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis