Low
CVE-2020-0986
CVE-2020-0986
Description
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka ‘Windows Kernel Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2020-1237, CVE-2020-1246, CVE-2020-1262, CVE-2020-1264, CVE-2020-1266, CVE-2020-1269, CVE-2020-1273, CVE-2020-1274, CVE-2020-1275, CVE-2020-1276, CVE-2020-1307, CVE-2020-1316.
Add Assessment
Technical Analysis
Google Project Zero researcher Maddie Stone, who originally disclosed this vulnerability to Microsoft, reported on December 23, 2020 that the patch is incomplete and can be bypassed.
Quoting her post here: “The original issue was an arbitrary pointer dereference which allowed the attacker to control the src and dest pointers to a memcpy. The “fix” simply changed the pointers to offsets, which still allows control of the args to the memcpy.”
Stealing directly from a conversation with Metasploit’s Windows exploit expert @zeroSteiner, it sounds like this bug isn’t terribly useful as an LPE “because the slpwow64 process doesn’t run with elevated privileges—just an elevated integrity, which Microsoft doesn’t consider a security boundary anymore anyway.” Project Zero-reported vulns tend to draw media and researcher attention and there’s quite a lot of detail publicly available between Stone’s original report and this in-depth Kaspersky write-up, so we may see more exploitation even if the impact of the bug by itself isn’t terribly high. That said, the Kaspersky analysis is definitely worth a read if you want to understand this CVE’s utility for the IE 11 use case!
Technical Analysis
Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888
CVSS V3 Severity and Metrics
General Information
Vendors
- Microsoft
Products
- Windows,
- Windows Server,
- Windows 10 Version 1909 for 32-bit Systems,
- Windows 10 Version 1909 for x64-based Systems,
- Windows 10 Version 1909 for ARM64-based Systems,
- Windows Server, version 1909 (Server Core installation),
- Windows 10 Version 1903 for 32-bit Systems,
- Windows 10 Version 1903 for x64-based Systems,
- Windows 10 Version 1903 for ARM64-based Systems,
- Windows Server, version 1903 (Server Core installation),
- Windows 10 Version 2004 for 32-bit Systems,
- Windows Server, version 2004 (Server Core installation),
- Windows 10 Version 2004 for ARM64-based Systems,
- Windows 10 Version 2004 for x64-based Systems
As just said before, this vulnerability won’t get you elevated privileges, but, since the vulnerable process (
splwow64.exe) is running with medium integrity level, it is possible to combine it with another remote code execution exploit to escape the Internet Explorer 11 sandbox and execute arbitrary code.This has been patched by Microsoft in June 2020, but it was incomplete (this patch bypass is identified as CVE-2020-17008). Moreover, this patch introduced another vulnerability (Out-Of-Bounds read), disclosed by ZDI as a 0-day advisory on December 15th, 2020. All of these bugs have been corrected in January 2021 and identified as CVE-2021-1648.