[German]ACROS Security has released a micropatch for the CVE-2020-1013 (WSUS Spoofing, Local Privilege Escalation in Group Policies) vulnerability for Windows 7 and Server 2008 R2 (without ESU license). Here is some information about it.
CVE-2020-1013 has been assigned for a ‘Group Policy Elevation of Privilege’ vulnerability in Windows 7 and Windows Server 2008 R2. Microsoft writes:
A vulnerability exists regarding elevation of privilege when Microsoft processes Windows Group Policy updates. An attacker who successfully exploited this vulnerability could potentially elevate privileges or perform additional privileged actions on the target computer.
To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack on traffic between a domain controller and the target computer. An attacker could then create a group policy to grant administrative privileges to a standard user.
The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls via LDAP.
Microsoft had released a security update for Windows 7 SP1 as well as Windows Server 2008 and Windows Server 2008 R2 and newer versions of Windows on September 8, 2020. However, users of Windows 7 SP1 and Windows Server 2008/R2 who do not have an ESU license will no longer receive the security updates released by Microsoft.
The folks at ACROS Security still provide information in the post linked below that the vulnerability also allows WSUS spoofing – which Microsoft has not documented.
0patch Fix for Windows 7 SP1/Server 2008 R2
Microsoft writes in the security advisory, that details about the vulnerability are not publicly known and that exploitability is difficult. However, a POC was published by the security researchers from GoSecure in October 2020. As a result, security researchers at ACROS Security decided to develop a micropatch for users of Windows 7 and Windows Server 2008 R2 without an ESU license. I was made aware of the information about the release of the micropatch for Windows 7 SP1 and Windows Server 2008 R2 via Twitter.
Mitja Kolsek has published some more details about this micropatch and the vulnerability in this blog post. This micropatch is available immediately for 0patch users with PRO license and is already applied to all online computers with 0patch Agent (except in non-standard Enterprise configurations). As always, no computer reboot is required and users’ work is not interrupted.
Hinweise zur Funktionsweise des 0patch-Agenten, der die Mikro-Patches zur Laufzeit einer Anwendung in den Speicher lädt, finden Sie in den Blog-Posts (z.B. hier), die ich unten verlinkt habe.
For information on how the 0patch Agent works, which loads the micro-patches into memory at runtime of an application, please refer to the blog posts (e.g. here) I have linked below.
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
0patch supports Office 2010 with micro patches after the end of support (EOL)
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
Cookies helps to fund this blog: Cookie settings