Wednesday, December 23, 2020

Micropatch is Available for WSUS Spoofing Local Privilege Escalation Vulnerability (CVE-2020-1013)


by Mitja Kolsek, the 0patch Team

Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1013, a WSUS spoofing local privilege escalation vulnerability.

This vulnerability was patched by Microsoft with September 2020 Updates, but POC became available in October when original researchers from GoSecure published it.Windows 7 and Server 2008 R2 users without Extended Security Updates remained vulnerable so we decided to create a micropatch for them.
This turned out to be harder than we had expected - not because it was hard to write a micropatch but because it was difficult to reproduce the issue on these platforms (the original POC was written for Windows 10). We had to dive deep into communication between Windows Update client and WSUS and its specifics for Windows 7, all the while multitasking on several other vulns, and finally ended up with a working POC - quickly followed by a micropatch.
Note that while Windows 7 and Server 2008 R2 machines without Extended Security Updates obviously don't receive operating system updates anymore, it makes sense to keep them connected to WSUS in order to receive updates for various installed Microsoft products.

The vulnerability lies in Windows Update client's willingness to honor the proxy set by a low-privileged user, while also trusting certificates from such user's certificate store. This means that even if the update client was configured to contact WSUS via HTTPS, a local attacker could redirect its communication through their own proxy using a self-signed certificate. Meta data provided to the update client would then be trusted, and long story short, attacker's file would be stored to a chosen location on the computer, where it would later be executed with high privileges. 
Microsoft's patch prevents Update Client from honoring user-defined proxy, and also provides a way to re-enable this feature via registry.
Our micropatch also prevents Update Client from honoring user-defined proxy in logically identical way to Microsoft's, while admins can re-enable the feature by simply disabling the micropatch.
A video of the micropatch in action:

We'd like to thank  Maxime Nadeau of GoSecure for sharing their analysis and POC, which allowed us to create this micropatch for Windows users without official security updates. We also encourage security researchers to privately share their analyses with us for micropatching.

This micropatch is immediately available to all 0patch users with a PRO license, and is targeted at Windows 7 and Windows Server 2008 R2 users without Extended Security Updates. To obtain the micropatch and have it applied on your computer(s) along with other micropatches included with a PRO license, create an account in 0patch Central, install 0patch Agent and register it to your account. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch. 

And don't forget, if your organization has Windows 7 or Server 2008 R2 machines with Extended Security Updates and wouldn't mind saving lots of money on less expensive security patches in 2021 that don't even need your machines to be restarted, proceed to our New Year's Resolution.

To learn more about 0patch, please visit our Help Center

No comments:

Post a Comment