Google Project Zero writes that one of Microsoft’s patches, which was released earlier this week as part of the “update Tuesday”, namely the Windows LSASS (Local Security Authority Subsystem Service) patch, turned out to be ineffective.
August Patch Tuesday includes fixes for 120 Microsoft products, from the Edge browser to Windows, from SQL Server to the .NET Framework. At the same time, 17 vulnerabilities received the status of “critical” (mainly, these are bugs in Windows, Edge, Internet Explorer, Outlook, and .NET framework). Microsoft also patched two 0-day vulnerabilities that were already under attack.The controversial vulnerability received an identifier CVE-2020-1509, and in May of this year Google Project Zero expert James Forshaw discovered it.
The bug can be exploited by using specially crafted authentication requests, and in order to successfully exploit the problem, an attacker will need to know the valid credentials in advance”, – said James Forshaw.
In the spring, the researcher also explained that the problem is related to the deprecated AppContainer ability to provide access to the Security Support Provider Interface (SSPI), probably intended to facilitate the installation of business applications in corporate environments. Thus, authorization for authentication should be granted only if the target specified in the call matches a proxy. However, Forshaw found that authentication was allowed even if the network name did not match the registered proxy.
This meant that an attacker could authenticate to network resources and bypass defenses such as SPN verification and SMB signing. As a result, the attacker could even get access to localhost services, albeit under certain conditions.
In May, Forshaw posted a PoC exploit for this issue to demonstrate how an application can gain elevated privileges with the use of this bug.
Now Forshaw warns that the patch for CVE-2020-1509, which was released this week, is not effective. According to the expert, an attack on the vulnerability is still possible if a configured proxy is present in the system. Moreover, the original exploit is also relevant, user just has manually add a proxy server in the settings and comply with a number of conditions.
In corporate environments, [proxy] is most likely the norm, which means this is a very serious problem there”, — writes the researcher.
As a reminder, Microsoft recently reported on its 15 bug bounty programs last year. It turned out that in 2019 company paid the researchers a total of $13,700,000 for the discovered vulnerabilities, that is, three times more than a year earlier.