Windows Kernel 0-day vulnerability used in the wild

[German]Cybercriminals use an exploit chain to attack a patched 0-day vulnerability in the chrome browser (Edge) and an unpatched 0-day vulnerability in the Windows kernel. The vulnerability has just been disclosed by Google Project Zero.


Advertising

In this release, Google Project Zero inform about two vulnerabilities in Chromium browser (patched) and in Windows kernel (unpatched), andthat they have evidence that the disclosed vulnerabilities are already being exploited in the wild.

Tweet über Windows 0-day Schwachstelle

According to the above tweet, in addition to the chrome/freetype 0-day exploit (CVE-2020-15999) discovered by Project Zero last week, there is also the Windows kernel bug (CVE-2020-17087). The Chrome 0-day exploit (CVE-2020-15999) is now patched (see Google Chrome 86.0.4240.111: Critical Security Update and Security update: Edge 86.0.622.51 released).

The Windows kernel bug (CVE-2020-17087)

The Windows kernel bug (CVE-2020-17087) can be used to escape from the sandbox (sandbox escape). The technical details of CVE-2020-17087 are now available. The Windows kernel cryptography driver (cng.sys) provides a \Device\CNG device for user mode programs and supports a variety of IOCTLs with non-trivial input structures. It represents a locally accessible attack surface that can be exploited for privilege escalation (e.g. sandbox escape).

The Project Zero team was able to provoke an integer overflow in such a function, which was successfully tested as proof of concept (PoC) on Windows 10 1903 (64-bit). A crash is easiest to reproduce when special pools are enabled for cng.sys, but even in the default configuration, 64kB of kernel data corruption will almost certainly crash the system shortly after the exploit is executed.


Advertising

Windows 7 through Windows 10 affected

Even though the PoC was tested with Windows 10 1903 (64-bit), the people at Google Project Zero assume that the vulnerability exists at least since Windows 7. This would make all Windows systems up to Windows 10 20H2 including the server counterparts vulnerable. It is expected that the 0-day vulnerability will be fixed with an update on November 10, 2020 (patchday). (via)


Advertising

This entry was posted in browser, Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).