Google’s Project Zero has discovered a 0-day vulnerability in the Windows kernel, which is already being exploited in the Chrome browser as part of an exploit chain.
The Windows kernel cryptographic driver (/cng.sys/) exposes a /DeviceCNG/ device for users -Mode programs and supports a variety of IOCTLs calls with non-trivial input structures. This driver represents a locally accessible attack surface that can be exploited for privilege escalation. Security researchers are therefore focusing on this driver to find vulnerabilities.
On October 22, 2020, Mateusz Jurczyk and Sergei Glazunov from Google’s Project Zero discovered a 0-day vulnerability (CVE-2020-17087) in Windows -kernel. In a proof of concept, they were able to provoke an integer overflow and a crash of the operating system under Windows 10 1903 (64-bit). The vulnerability offers the possibility of privilege escalation, which could allow malware to break out of a sandbox. This applies to the sandboxes used in browsers as well as in some Windows security functions and in virus scanners to isolate processes.
Used via an exploit chain
Project Zero security researchers have decided to publish the 0-day vulnerability, for which Microsoft has not yet patched, within a period of 7 days. The background: The team has evidence that this 0-day vulnerability in conjunction with a recently discovered 0-day vulnerability in the FreeType program library used by the Chromium browser (Google Chrome, Microsoft Edge) is already available via an exploit chain attacks.
The Chrome 0-Day Exploit (CVE-2020-15999) has since been closed by updates to Google Chrome 86.0.4240.111. The actively exploited vulnerability in the FreeType program library was also eliminated in version 86.0.622.51 of the Microsoft Edge browser. Windows users should definitely ensure that Chromium-based browsers (e.g. Vivaldi) are patched for this vulnerability.
Windows 7 to Windows 10 affected
Project Zero security researchers believe that the CVE-2020-17087 vulnerability in the Windows kernel cryptographic driver (/cng.sys/) has existed since Windows 7. This would affect all Windows versions, from Windows 7 to the current Windows 10 20H2, including the server counterparts. With Google Project Zero, it is assumed that the vulnerability reported to Microsoft will be closed on the next patch day on November 10, 2020.