Project Zero: August 2020 LSASS patch does not adequately protect Windows 10

[German]Microsoft has probably failed to patch a vulnerability properly with its Windows security updates of August 11, 2020. They intend to fix the LSASS vulnerability. However, Google Project Zero says that the vulnerability is insufficiently patched in Windows 10 version 1909.


Patch the vulnerability CVE-2020-1509

In Windows there was a vulnerability CVE-2020-1509 (Local Security Authority Subsystem Service Elevation of Privilege Vulnerability). The reason is that the Local Security Authority Subsystem Service (LSASS) allowed an Elevation of Privilege. To do this, an authenticated attacker had to send a specially designed authentication request. A remote attacker who successfully exploited this vulnerability could cause an elevation of privileges in the target system³s LSASS service.

Microsoft released security updates for Windows 8.1 through Windows 10, including its server counterparts, on August 11, 2020 (see CVE-2020-1509). The security updates were intended to fix the vulnerability. James Forshaw of Team Project Zero was thanked for the discovery and reporting of the vulnerability.

Patch probably incomplete

James Forshaw from Team Project Zero writes on May 5, 2020 in a message that has probably now become public) that Microsoft's security updates are probably incomplete – see his comment from August 12, 2020.

I came across this issue through the above tweet and this post.


Windows: AppContainer Enterprise Authentication Capability Bypass
Platform: Windows 10 1909
Class: Elevation of Privilege
Security Boundary: AppContainer
LSASS doesn't correctly enforce the Enterprise Authentication Capability which allows any AppContainer to perform network authentication with the user's credentials.
One of the original legacy AppContainer capabilities grants access to Enterprise Authentication, which basically means access to the SSPI functions. This is listed on as a Restricted Capability which means that it wouldn't automatically be approved in the Windows Store and is probably only used in side-loaded Enterprise LOB applications. Without this capability access to SSPI would be blocked.

A proof of concept (PoC) code was also included to show how an application can bypass enterprise authentication to achieve elevated privileges. The PoC attempts to list the Windows Server Message Block (SMB) shares, and although the operating system should not allow this access, the local shares are still listed. Details can be found here and at ZDNet. Let's see when Microsoft will make improvements. 

Cookies helps to fund this blog: Cookie settings

This entry was posted in issue, Security, Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *