Two weeks ago, Google patched a vulnerability in Chrome that was under active exploitation by attackers, saying that it had evidence of an exploit in the wild. Now, Google researchers have disclosed an unpatched vulnerability in Windows that was being used in conjunction with the Chrome bug in some attacks.
Google’s Project Zero research team discovered both vulnerabilities and on Friday the team disclosed the details of the Windows bug (CVE-2020-17087), which is a buffer overflow in the kerney cryptography driver. The flaw is not remotely exploitable on its own but can be used for privilege escalation once an attacker already has access to a target machine. Google’s researchers saw attackers using this bug along with the Chrome flaw (CVE-2020-15999) in targeted attacks.
“The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. It constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape),” the Project Zero bug report says.
“We have evidence that this bug is being used in the wild.”
MIcrosoft is expected to release a patch for the vulnerability on Nov. 10.
"The vulnerability is believed to be present since at least Windows 7."
The exploitation attempts that Google has seen involving this vulnerability have been targeted attacks and not related to any intrusion attempts on election infrastructure, the company said. The Project Zero team published a proof-of-concept exploit for the bug, which it said has likely been around since Windows 7.
“It was tested on an up-to-date build of Windows 10 1903 (64-bit), but the vulnerability is believed to be present since at least Windows 7. A crash is easiest to reproduce with Special Pools enabled for cng.sys, but even in the default configuration the corruption of 64kB of kernel data will almost surely crash the system shortly after running the exploit,” the bug report says.
In late October, Project Zero researchers discovered that attackers were exploiting a previously unknown flaw in Chrome, which turned out to be a heap buffer overflow in the FreeType font-rendering engine Chrome uses. Google patched the vulnerability on Oct. 20 for Chrome desktop users. But two days later researchers filed a separate bug report for the Windows kernel vulnerability that was being used alongside the Chrome flaw. Both vulnerabilities were subject to Project Zero’s most aggressive seven-day disclosure deadline, which it applies to bugs that are being actively exploited.