Google’s Project Zero bug-hunting team has disclosed a Windows kernel flaw that’s being actively exploited by miscreants to gain administrator access on compromised machines. This gone public 7 days after it got discovered
The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” the bug report explains. “It constitutes a locally accessible attack surface that can be exploited for privilege escalation
Malware already on a system, or a rogue insider, can potentially exploit this buggy driver to gain admin-level control of a vulnerable Windows box. The flaw, designated as CVE-2020-17087, is the result of improper 16-bit integer truncation that can lead to a buffer overflow.
The Google researchers have posted PoC exploit code tested on Windows 10 1903 (64-bit). They say the cng.sysflaw looks to have been present since at least Windows 7.
The Windows giant suggested exploitation would be difficult because an attacker would first need to compromise a host machine and then exploit another vulnerability of the local system. Microsoft says the only known remote-based attack chain for this vulnerability has been dealt with, a hole in Chromium-based browsers (CVE-2020-15999) that was fixed this month.
A patch is expected by November 10, 2020, which would be the next “Patch Tuesday” from Microsoft.