Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CVE-2020-15999, CVE-2020-17087: Google Chrome FreeType and Microsoft Windows Kernel Zero Days Exploited in the Wild

A pair of zero-day vulnerabilities in Google Chrome (CVE-2020-15999) and Microsoft Windows (CVE-2020-17087) were chained together and exploited in the wild in targeted attacks. A separate Chrome vulnerability (CVE-2020-16009) has also been exploited in the wild.

Background

On October 20, Google released a stable channel update for Chrome for Desktop to address five security fixes, one of which (CVE-2020-15999) had been discovered by a member of its Project Zero research team and exploited in the wild.

On October 30, Ben Hawkes, a founding member and technical lead on Project Zero tweeted that the team had “detected and reported” a kernel vulnerability in Microsoft Windows (CVE-2020-17087) that was exploited alongside the Chrome vulnerability.

Analysis

CVE-2020-15999 is a heap buffer overflow vulnerability in the “Load_SBit_Png” function of FreeType 2 library used for font rendering across a variety of applications, including Google Chrome. The vulnerability was discovered by Sergei Glazunov, a security researcher on the Project Zero team. An attacker could exploit the vulnerability by using social engineering to trick a user to visit a malicious website hosting a specially crafted font file. The vulnerability would be triggered when loaded through the malicious website.

CVE-2020-17087 is a “pool-based” buffer overflow vulnerability in the Windows Kernel Cryptography Driver, cng.sys according to the Project Zero team. In the team’s issue tracker, Mateusz Jurczyk, a Project Zero security researcher, says the flaw exists in the cng!CfgAdtpFormatPropertyBlock function as a result of a 16-bit integer truncation.

Chaining together CVE-2020-15999 and CVE-2020-17087 would allow an attacker to break out of Google Chrome’s sandbox. Exploiting a vulnerability in a browser may seem useful, but an attacker would still be limited in their actions by sandbox technology. Therefore, discovering a viable sandbox escape vulnerability is a valuable asset for cybercriminals, as they can use such flaws to elevate privileges on the system or potentially execute code, depending on the nature of the chained vulnerabilities.

Second chained vulnerability used to escape Chrome sandbox in the last year

This isn’t the first time two vulnerabilities have been exploited together as part of targeted attacks in Chrome and Windows. On October 31, 2019, Google patched CVE-2019-13720, a use-after-free zero-day vulnerability that was exploited in the wild. Researchers at Kaspersky were credited with discovering the vulnerability as part of a targeted attack operation known as Operation WizardOpium. One month later, Kaspersky disclosed that CVE-2019-13720 was used in the Operation WizardOpium attacks in conjunction with CVE-2019-1458, an elevation of privilege vulnerability in Microsoft Windows in order to escape Google Chrome’s sandbox.

Patch for CVE-2020-17087 expected in November Patch Tuesday

In a tweet, Hawkes says a fix for the Windows Kernel vulnerability is expected to be released on November 10 as part of Microsoft’s Patch Tuesday release. In his tweet, Hawkes preemptively stated that these vulnerabilities were not associated with recent attacks against U.S. election-related infrastructure.

CVE-2020-16009: Google discloses additional vulnerability exploited in the wild

On November 2, As we were preparing to publish this blog post, Google released a new stable channel update for Chrome to address 10 vulnerabilities, including CVE-2020-16009, a vulnerability in Google Chrome’s V8 JavaScript engine due to “inappropriate implementation.” The vulnerability was discovered by security researchers Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of the Project Zero team. The vulnerability has reportedly been exploited in the wild, but no further details were available at the time this blog post was published.

Proof of concept

Glazunov has published a proof-of-concept (PoC) font file for CVE-2020-15999, and Marcin Kozlowski also published an in-progress PoC.

For CVE-2020-17087, a PoC was included as an attachment to the Google Project Zero issue tracker entry.

Details for CVE-2020-16009 were restricted at the time this blog post was published and no PoC was publicly available.

Solution

Google has addressed CVE-2020-15999 and CVE-2020-16009 in Google Chrome for Desktop for Windows, macOS and Linux.

CVE Fixed Version
CVE-2020-15999 86.0.4240.111
CVE-2020-16009 86.0.4240.183

Users are strongly recommended to upgrade to as soon as possible.

CVE-2020-17087 will reportedly be fixed as part of Microsoft’s November 2020 Patch Tuesday release. We will update this blog post once that fix becomes available.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. Additionally, customers can use our OS Identification plugin to identify Windows assets that will need to be patched once a patch becomes available.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.