Windows kernel zero-day vulnerability used in targeted attacks

Project Zero, Google’s 0day bug-hunting team, today disclosed a zero-day elevation of privileges (EoP) vulnerability found in the Windows kernel and actively exploited in targeted attacks.

The flaw is a pool-based buffer overflow that exists in the Windows Kernel Cryptography Driver (cng.sys) and it is currently tracked as CVE-2020-17087.

Proof of concept exploit available

The Windows kernel bug zero-day can be exploited by local attackers for privilege escalation (including sandbox escape) according to Project Zero security researchers Mateusz Jurczyk and Sergei Glazunov.

“The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue,” the researchers explain.

Project Zero also provides a proof-of-concept exploit (PoC) that can be used to crash vulnerable Windows devices even for default system configurations.

The PoC was “tested on an up-to-date build of Windows 10 1903 (64-bit), but the vulnerability is believed to be present since at least Windows 7.”

Attacks not related to U.S. election

According to Ben Hawkes, technical team lead of Google’s Project Zero security research team, the ongoing attacks that exploit CVE-2020-17087 in the wild are not focused on targets associated with the U.S. election.

“Currently we expect a patch for this issue to be available on November 10,” said Ben Hawkes, technical team lead of Google’s Project Zero security research team.

“We have confirmed with the Director of Google’s Threat Analysis Group, Shane Huntley, that this is targeted exploitation and this is not related to any US election-related targeting.”

Even though the bug was added to the Project Zero issue tracker only 8 days ago, it was disclosed after only 7 days because it was being used by attackers in the wild.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s