CVE-2020-15999 & CVE-2020-17087 in 0-day sandbox escape

Attackers use zero-day exploits to penetrate systems and pursue the complete compromise of target networks. More sophisticated actor groups employ multiple exploits in an attack chain to overcome security measures in modern operating systems and applications.

Microsoft was made aware of a targeted campaign exploiting multiple vulnerabilities in late October 2020. The attackers used a remote code execution (RCE) vulnerability in Google Chrome and other Chromium-based browsers  (CVE-2020-15999), as well as a separate elevation of privilege (EOP) vulnerability (assigned CVE-2020-17087) in the Windows Kernel Cryptography Driver, to execute code in the browser and escape the Chrome application sandbox.

Microsoft is closely monitoring use of this attack chain as well as publicly available proof-of-concept (PoC) exploit code that might indicate further attempts to exploit these vulnerabilities. As of the time of publishing, Microsoft has not observed any attempts to exploit these vulnerabilities in other attacks.

Google has issued a patch for CVE-2020-15999 in Chrome browser, and Microsoft has issued a patch for CVE-2020-15999 in Microsoft Edge. Both patches addressing the RCE should be applied immediately. All Chromium-based browsers should be updated to their latest versions.

In addition, customers should apply security updates for CVE-2020-17087 as soon as they are available. Microsoft plans to provide security updates that address this vulnerability with the November 2020 Security Updates. Customers utilizing automatic updates don’t need to take additional actions. Enterprises that manually manage updates should select the latest security updates and deploy them across their environments.

 

Analysis

On October 20, 2020, Microsoft was informed of a targeted campaign that used a Remote Code Execution (RCE) vulnerability in the Google Chrome browser (CVE-2020-15999). On October 30, 2020, Google disclosed an elevation of privilege (EOP) vulnerability in the Windows Kernel Cryptography Driver (assigned CVE-2020-17087). Both vulnerabilities were being used in a single attack chain in the same targeted campaign. The attackers used the RCE vulnerability in Chrome to execute code inside the web browser and the EOP in Windows to elevate privileges and escape the Chrome application sandbox.

Although the campaign targeted Google Chrome, the RCE vulnerability CVE-2020-15999 exists not just in Chrome, but in all Chromium-based web browsers. This includes Chromium-based Edge.  

To exploit the Windows EOP vulnerability, whether as part of the described campaign or in other possible attacks, an attacker must already be able to execute code on the system. In addition, exploiting the vulnerability to elevate privileges does not affect the overall cryptographic functionality of the driver.

 

MITRE ATT&CK techniques observed

The campaign utilized attacker techniques documented in the MITRE ATT&CK framework

 

Mitigations

Apply these mitigations to reduce the impact of this threat.

  • Update all Chromium-based browsers and apps, including Google Chrome and Microsoft Edge, to their latest versions.
  • Apply the security updates for CVE-2020-17087 as soon as it is available. 
  • Run the latest version of your operating systems and applications. Turn on automatic updates or deploy the latest security updates as soon as they become available.
  • Use a supported platform like Windows 10 to take advantage of regular security updates.

 

References

Email support@sib.technology or Call us on 0435 997 000