Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2020-15999, CVE-2020-17087: Google Chrome FreeType and Microsoft Windows Kernel Zero Days Exploited in the Wild

A pair of zero-day vulnerabilities in Google Chrome (CVE-2020-15999) and Microsoft Windows (CVE-2020-17087) were chained together and exploited in the wild in targeted attacks. A separate Chrome vulnerability (CVE-2020-16009) has also been exploited in the wild.

Background

On October 20, Google released a stable channel update for Chrome for Desktop to address five security fixes, one of which (CVE-2020-15999) had been discovered by a member of its Project Zero research team and exploited in the wild.

On October 30, Ben Hawkes, a founding member and technical lead on Project Zero tweeted that the team had “detected and reported” a kernel vulnerability in Microsoft Windows (CVE-2020-17087) that was exploited alongside the Chrome vulnerability.

Analysis

CVE-2020-15999 is a heap buffer overflow vulnerability in the “Load_SBit_Png” function of FreeType 2 library used for font rendering across a variety of applications, including Google Chrome. The vulnerability was discovered by Sergei Glazunov, a security researcher on the Project Zero team. An attacker could exploit the vulnerability by using social engineering to trick a user to visit a malicious website hosting a specially crafted font file. The vulnerability would be triggered when loaded through the malicious website.

CVE-2020-17087 is a “pool-based” buffer overflow vulnerability in the Windows Kernel Cryptography Driver, cng.sys according to the Project Zero team. In the team’s issue tracker, Mateusz Jurczyk, a Project Zero security researcher, says the flaw exists in the cng!CfgAdtpFormatPropertyBlock function as a result of a 16-bit integer truncation.

Chaining together CVE-2020-15999 and CVE-2020-17087 would allow an attacker to break out of Google Chrome’s sandbox. Exploiting a vulnerability in a browser may seem useful, but an attacker would still be limited in their actions by sandbox technology. Therefore, discovering a viable sandbox escape vulnerability is a valuable asset for cybercriminals, as they can use such flaws to elevate privileges on the system or potentially execute code, depending on the nature of the chained vulnerabilities.

Second chained vulnerability used to escape Chrome sandbox in the last year

This isn’t the first time two vulnerabilities have been exploited together as part of targeted attacks in Chrome and Windows. On October 31, 2019, Google patched CVE-2019-13720, a use-after-free zero-day vulnerability that was exploited in the wild. Researchers at Kaspersky were credited with discovering the vulnerability as part of a targeted attack operation known as Operation WizardOpium. One month later, Kaspersky disclosed that CVE-2019-13720 was used in the Operation WizardOpium attacks in conjunction with CVE-2019-1458, an elevation of privilege vulnerability in Microsoft Windows in order to escape Google Chrome’s sandbox.

Patch for CVE-2020-17087 expected in November Patch Tuesday

In a tweet, Hawkes says a fix for the Windows Kernel vulnerability is expected to be released on November 10 as part of Microsoft’s Patch Tuesday release. In his tweet, Hawkes preemptively stated that these vulnerabilities were not associated with recent attacks against U.S. election-related infrastructure.

CVE-2020-16009: Google discloses additional vulnerability exploited in the wild

On November 2, As we were preparing to publish this blog post, Google released a new stable channel update for Chrome to address 10 vulnerabilities, including CVE-2020-16009, a vulnerability in Google Chrome’s V8 JavaScript engine due to “inappropriate implementation.” The vulnerability was discovered by security researchers Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of the Project Zero team. The vulnerability has reportedly been exploited in the wild, but no further details were available at the time this blog post was published.

Proof of concept

Glazunov has published a proof-of-concept (PoC) font file for CVE-2020-15999, and Marcin Kozlowski also published an in-progress PoC.

For CVE-2020-17087, a PoC was included as an attachment to the Google Project Zero issue tracker entry.

Details for CVE-2020-16009 were restricted at the time this blog post was published and no PoC was publicly available.

Solution

Google has addressed CVE-2020-15999 and CVE-2020-16009 in Google Chrome for Desktop for Windows, macOS and Linux.

CVE Fixed Version
CVE-2020-15999 86.0.4240.111
CVE-2020-16009 86.0.4240.183

Users are strongly recommended to upgrade to as soon as possible.

CVE-2020-17087 will reportedly be fixed as part of Microsoft’s November 2020 Patch Tuesday release. We will update this blog post once that fix becomes available.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. Additionally, customers can use our OS Identification plugin to identify Windows assets that will need to be patched once a patch becomes available.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training