A pair of zero-day vulnerabilities in Google Chrome (CVE-2020-15999) and Microsoft Windows (CVE-2020-17087) were chained together and exploited in the wild in targeted attacks. A separate Chrome vulnerability (CVE-2020-16009) has also been exploited in the wild.
Background
On October 20, Google released a stable channel update for Chrome for Desktop to address five security fixes, one of which (CVE-2020-15999) had been discovered by a member of its Project Zero research team and exploited in the wild.
Project Zero discovered and reported an actively exploited 0day in freetype that was being used to target Chrome. A stable release that fixes this issue (CVE-2020-15999) is available here: https://t.co/ZRQe72Qfkh
— Ben Hawkes (@benhawkes) October 20, 2020
On October 30, Ben Hawkes, a founding member and technical lead on Project Zero tweeted that the team had “detected and reported” a kernel vulnerability in Microsoft Windows (CVE-2020-17087) that was exploited alongside the Chrome vulnerability.
In addition to last week's Chrome/freetype 0day (CVE-2020-15999), Project Zero also detected and reported the Windows kernel bug (CVE-2020-17087) that was used for a sandbox escape. The technical details of CVE-2020-17087 are now available here: https://t.co/bO451188Mk
— Ben Hawkes (@benhawkes) October 30, 2020
Analysis
CVE-2020-15999 is a heap buffer overflow vulnerability in the “Load_SBit_Png” function of FreeType 2 library used for font rendering across a variety of applications, including Google Chrome. The vulnerability was discovered by Sergei Glazunov, a security researcher on the Project Zero team. An attacker could exploit the vulnerability by using social engineering to trick a user to visit a malicious website hosting a specially crafted font file. The vulnerability would be triggered when loaded through the malicious website.
CVE-2020-10787 is a “pool-based” buffer overflow vulnerability in the Windows Kernel Cryptography Driver, cng.sys according to the Project Zero team. In the team’s issue tracker, Mateusz Jurczyk, a Project Zero security researcher, says the flaw exists in the cng!CfgAdtpFormatPropertyBlock function as a result of a 16-bit integer truncation.
Chaining together CVE-2020-15999 and CVE-2020-10787 would allow an attacker to break out of Google Chrome’s sandbox. Exploiting a vulnerability in a browser may seem useful, but an attacker would still be limited in their actions by sandbox technology. Therefore, discovering a viable sandbox escape vulnerability is a valuable asset for cybercriminals, as they can use such flaws to elevate privileges on the system or potentially execute code, depending on the nature of the chained vulnerabilities.
Second chained vulnerability used to escape Chrome sandbox in the last year
This isn’t the first time two vulnerabilities have been exploited together as part of targeted attacks in Chrome and Windows. On October 31, 2019, Google patched CVE-2019-13720, a use-after-free zero-day vulnerability that was exploited in the wild. Researchers at Kaspersky were credited with discovering the vulnerability as part of a targeted attack operation known as Operation WizardOpium. One month later, Kaspersky disclosed that CVE-2019-13720 was used in the Operation WizardOpium attacks in conjunction with CVE-2019-1458, an elevation of privilege vulnerability in Microsoft Windows in order to escape Google Chrome’s sandbox.
Patch for CVE-2020-17087 expected in November Patch Tuesday
In a tweet, Hawkes says a fix for the Windows Kernel vulnerability is expected to be released on November 10 as part of Microsoft’s Patch Tuesday release. In his tweet, Hawkes preemptively stated that these vulnerabilities were not associated with recent attacks against U.S. election-related infrastructure.
Currently we expect a patch for this issue to be available on November 10. We have confirmed with the Director of Google's Threat Analysis Group, Shane Huntley (@ShaneHuntley), that this is targeted exploitation and this is not related to any US election related targeting.
— Ben Hawkes (@benhawkes) October 30, 2020
CVE-2020-16009: Google discloses additional vulnerability exploited in the wild
On November 2, As we were preparing to publish this blog post, Google released a new stable channel update for Chrome to address 10 vulnerabilities, including CVE-2020-16009, a vulnerability in Google Chrome’s V8 JavaScript engine due to “inappropriate implementation.” The vulnerability was discovered by security researchers Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of the Project Zero team. The vulnerability has reportedly been exploited in the wild, but no further details were available at the time this blog post was published.
Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android. https://t.co/IOhFwT0Wx1
— Ben Hawkes (@benhawkes) November 2, 2020
Proof of concept
Glazunov has published a proof-of-concept (PoC) font file for CVE-2020-15999, and Marcin Kozlowski also published an in-progress PoC.
For CVE-2020-17087, a PoC was included as an attachment to the Google Project Zero issue tracker entry.
Details for CVE-2020-16009 were restricted at the time this blog post was published and no PoC was publicly available.
Solution
Google has addressed CVE-2020-15999 and CVE-2020-16009 in Google Chrome for Desktop for Windows, macOS and Linux.
CVE | Fixed Version |
---|---|
CVE-2020-15999 | 86.0.4240.111 |
CVE-2020-16009 | 86.0.4240.183 |
Users are strongly recommended to upgrade to as soon as possible.
CVE-2020-17087 will reportedly be fixed as part of Microsoft’s November 2020 Patch Tuesday release. We will update this blog post once that fix becomes available.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. Additionally, customers can use our OS Identification plugin to identify Windows assets that will need to be patched once a patch becomes available.
Get more information
- Google Chrome: Stable Channel Update for Desktop (86.0.4240.111)
- FreeType Project Bug Tracker #59308: Heap Buffer Overflow in Load_SBit_Png
- Google Chromium Tracker Issue #1139963: Heap buffer overflow in FreeType
- Google Project Zero Tracker Issue #2104: Pool-based buffer overflow in Windows Kernel
- Google Chrome: Stable Channel Update for Desktop (86.0.4240.138)
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.