Update: CVE-2020-17087 was patched on November 10, 2020, as part of Microsoft’s November Patch Tuesday release.
Description
On October 30, 2020, Google’s Project Zero team publicly disclosed CVE-2020-17087, a zero-day vulnerability in the Windows Kernel Cryptography Driver (cng.sys). The vulnerability arises from input/output controller (IOCTL) 0x390400 processing and could allow a local attacker to escalate privileges, including for sandbox escape. The vulnerability is unpatched as of October 30—a patch is currently expected on November 10, 2020 as part of Microsoft’s November Patch Tuesday release.
Project Zero researchers said in their disclosure that Google has seen evidence of the zero day’s being used in targeted attacks in the wild. Project Zero lead Ben Hawkes said on Twitter that CVE-2020-17087 was used in conjunction with CVE-2020-15999, another zero-day in Google Chrome, to form an exploit chain that allowed attackers to escape Chrome’s sandbox to execute code on the underlying (Windows) operating system.
Affected products
In their initial report on October 22, 2020, Mateusz Jurczyk and Sergei Glazunov of Project Zero said they’d verified that an up-to-date build of Windows 10 1903 (64-bit) was vulnerable, but that they believed that the vulnerability had been present since at least Windows 7.
Rapid7 analysis
An unpatched zero-day in the Windows kernel affecting a huge swath of Windows users and seeing in-the-wild exploitation is undoubtedly a concern. Both rich technical detail and PoC code are readily available to the public, including researchers and attackers looking to build exploit chains of their own. Rapid7 researchers were also able to easily reproduce the crash on Windows 10 (v1909 build 18362). However, as Metasploit research lead Spencer McIntyre points out in his assessment of CVE-2020-17087, the vulnerability’s value to attackers is high, but its exploitability is at least somewhat more limited than it might appear at first glance. Creating a full exploit chain would require a primitive (i.e., an info leak) to turn the crash into code execution.
It’s possible we’ll see PoC exploit code quickly that extends the Project Zero researchers’ work and enables broader-scale attacks than the targeted exploitation Google disclosed to Microsoft earlier this month. It’s also possible, however, that the difficulty of reliably exploiting heap corruption vulnerabilities will slow down at-scale attacker capabilities until Microsoft releases a patch.
References
- Project Zero disclosure and PoC for CVE-2020-17087
- Tweet thread from Ben Hawkes
- Rapid7 analysis of related Chrome zero-day (CVE-2020-15999)
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17087
