The Windows kernel cryptography driver (/cng.sys/) provides a / Device CNG / device for user mode programs and supports a large number of IOCTLs calls with non-trivial input structures. This driver represents a locally accessible attack surface that can be exploited to escalate privileges. Security researchers therefore focus on this driver in order to find vulnerabilities.

Don’t miss any news! With our daily newsletter you will receive all the news from heise online every morning from the past 24 hours.

At the 22. October 2020 Mateusz Jurczyk and Sergei Glazunov from Google’s Project Zero discovered a 0-day vulnerability (CVE – 2020 – 17087) in the Windows kernel. In a proof-of-concept under Windows 10 1903 (64 Bit) can provoke an integer overflow and crash of the operating system. The vulnerability offers the possibility of a privilege escalation, so that malware could break out of a sandbox. This applies to the sandboxes used in browsers as well as in some Windows security functions as well as in virus scanners to isolate processes.

Is used via an exploit chain The security researchers at Project Zero have decided to fix the 0-day vulnerability, for which Microsoft does not yet have a patch, within a period of 7 Days to publish. The background: The team has evidence that this 0-day vulnerability in conjunction with a recently discovered 0-day vulnerability in the FreeType program library used by the Chromium browser (Google Chrome, Microsoft Edge) is already included via an exploit chain Attack is exploited.

The Chrome 0-Day Exploit (CVE – 2020 – 15999) has meanwhile been updated by Google Chrome updates 86. 0. 4240. 111 closed. Also with the Microsoft Edge browser the version 86. 0. 622. 51 the active exploited vulnerability in the FreeType program library eliminated. Windows users should make sure that Chromium-based browsers used (e.g. Vivaldi) are patched for this vulnerability.

Windows 7 to Windows 10 affected The security researchers from Project Zero assume that the vulnerability CVE – 2020 – 17087 in the Windows kernel cryptography driver (/cng.sys/) has existed since Windows 7. That means all Windows versions, from Windows 7 to the current Windows 10 20 H2, including the server counterparts affected. In Google Project Zero, it is assumed that the vulnerability reported by Microsoft will be released by the next patch day on 10. November 2020 will be closed.

(bme)