CVE-2020-15999, CVE-2020-17087: Google Chrome FreeType and Microsoft Windows Kernel Zero Days Exploited in the Wild


A pair of zero-day vulnerabilities in Google Chrome (CVE-2020-15999) and Microsoft Windows (CVE-2020-17087) were chained together and exploited in the wild in targeted attacks. A separate Chrome vulnerability (CVE-2020-16009) has also been exploited in the wild.

Background

On October 20, Google released a stable channel update for Chrome for Desktop to address five security fixes, one of which (CVE-2020-15999) had been discovered by a member of its Project Zero research team and exploited in the wild.

On October 30, Ben Hawkes, a founding member and technical lead on Project Zero tweeted that the team had “detected and reported” a kernel vulnerability in Microsoft Windows (CVE-2020-17087) that was exploited alongside the Chrome vulnerability.

Analysis

CVE-2020-15999 is a heap buffer overflow vulnerability in the “Load_SBit_Png” function of FreeType 2 library used for font rendering across a variety of applications, including Google Chrome. The vulnerability was discovered by Sergei Glazunov, a security researcher on the Project Zero team. An attacker could exploit the vulnerability by using social engineering to trick a user to visit a malicious website hosting a specially crafted font file. The vulnerability would be triggered when loaded through the malicious website.

CVE-2020-17087 is a “pool-based” buffer overflow vulnerability in the Windows Kernel Cryptography Driver, cng.sys according to the Project Zero team. In the team’s issue tracker, Mateusz Jurczyk, a Project Zero security researcher, says the flaw exists in the cng!CfgAdtpFormatPropertyBlock function as a result of a 16-bit integer truncation.

Chaining together CVE-2020-15999 and CVE-2020-17087 would allow an attacker to break out of Google Chrome’s sandbox. Exploiting a vulnerability in a browser may seem useful, but an attacker would still be limited in their actions by sandbox technology. Therefore, discovering a viable sandbox escape vulnerability is a valuable asset for cybercriminals, as they can use such flaws to elevate privileges on the system or potentially execute code, depending on the nature of the chained vulnerabilities.

Second chained vulnerability used to escape Chrome sandbox in the last year

This isn’t the first time two vulnerabilities have been exploited together as part of targeted attacks in Chrome and Windows. On October 31, 2019, Google patched CVE-2019-13720, a use-after-free zero-day vulnerability that was exploited in the wild. Researchers at Kaspersky were credited with discovering the vulnerability as part of a targeted attack operation known as Operation WizardOpium. One month later, Kaspersky disclosed that CVE-2019-13720 was used in the Operation WizardOpium attacks in conjunction with CVE-2019-1458, an elevation of privilege vulnerability in Microsoft Windows in order to escape Google Chrome’s sandbox.

Patch for CVE-2020-17087 expected in November Patch Tuesday

In a tweet, Hawkes says a fix for the Windows Kernel vulnerability is expected to be released on November 10 as part of Microsoft’s Patch Tuesday release. In his tweet, Hawkes preemptively stated that these vulnerabilities were not associated with recent attacks against U.S. election-related infrastructure.

CVE-2020-16009: Google discloses additional vulnerability exploited in the wild

On November 2, As we were preparing to publish this blog post, Google released a new stable channel update for Chrome to address 10 vulnerabilities, including CVE-2020-16009, a vulnerability in Google Chrome’s V8 JavaScript engine due to “inappropriate implementation.” The vulnerability was discovered by security researchers Clement Lecigne of Google’s Threat Analysis Group and Samuel Groß of the Project Zero team. The vulnerability has reportedly been exploited in the wild, but no further details were available at the time this blog post was published.

Proof of concept

Glazunov has published a proof-of-concept (PoC) font file for CVE-2020-15999, and Marcin Kozlowski also published an in-progress PoC.

For CVE-2020-17087, a PoC was included as an attachment to the Google Project Zero issue tracker entry.

Details for CVE-2020-16009 were restricted at the time this blog post was published and no PoC was publicly available.

Solution

Google has addressed CVE-2020-15999 and CVE-2020-16009 in Google Chrome for Desktop for Windows, macOS and Linux.






CVE Fixed Version
CVE-2020-15999 86.0.4240.111
CVE-2020-16009 86.0.4240.183

Users are strongly recommended to upgrade to as soon as possible.

CVE-2020-17087 will reportedly be fixed as part of Microsoft’s November 2020 Patch Tuesday release. We will update this blog post once that fix becomes available.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. Additionally, customers can use our OS Identification plugin to identify Windows assets that will need to be patched once a patch becomes available.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.





Source link