Windows kernel zero-day vulnerability used in targeted attacks

LASER_oneXM

Level 37
Verified
Feb 4, 2016
2,562
Project Zero, Google's 0day bug-hunting team, today disclosed a zero-day elevation of privileges (EoP) vulnerability found in the Windows kernel and actively exploited in targeted attacks.

The flaw is a pool-based buffer overflow that exists in the Windows Kernel Cryptography Driver (cng.sys) and it is currently tracked as CVE-2020-17087.

Proof of concept exploit available


The Windows kernel bug zero-day can be exploited by local attackers for privilege escalation (including sandbox escape) according to Project Zero security researchers Mateusz Jurczyk and Sergei Glazunov.

"The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue," the researchers explain.
 
Last edited by a moderator:

SecurityNightmares

Level 40
Verified
Jan 9, 2020
2,955

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,360
Patched or not yet?
A patch is expected by November 10, 2020, which would be the next "Patch Tuesday" from Microsoft.

In an emailed statement, a Microsoft spokesperson said the company is working on a fix and characterized the known targeted attack as limited.
 

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,746
Two quotes from this article:
Malware already on a system, or a rogue insider, can potentially exploit this buggy driver to gain admin-level control of a vulnerable Windows box. The flaw, designated as CVE-2020-17087, is the result of improper 16-bit integer truncation that can lead to a buffer overflow.
However, the Windows giant suggested exploitation would be difficult because an attacker would first need to compromise a host machine and then exploit another vulnerability of the local system. Microsoft says the only known remote-based attack chain for this vulnerability has been dealt with, a hole in Chromium-based browsers (CVE-2020-15999) that was fixed this month.
It seems to me like no problem for the average person and that it will be fixed next Patch Tuesday November 10.
 
Top