Group Policy Elevation of Privilege Vulnerability (CVE-2020-16939, Important)

Windows Server

On Tuesday October 13th 2020, Microsoft released updates for all supported versions of Windows and Windows Server to address an elevation of privilege vulnerability in Group Policy, marked as important. Its official common vulnerabilities and exposures (CVE) id is CVE-2020-16939. Yesterday, the Zero Day Initiative (ZDI) shared more details and a Proof of Concept (PoC).

About the vulnerability

An elevation of privilege vulnerability exists when Group Policy improperly checks access. An attacker who successfully exploited this vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.

The vulnerability was discovered and reported responsibly to Microsoft by security researcher Nabeel Ahmed associated with the Zero day Initiative (ZDI).

This vulnerability is similar to CVE-2020-1317 as the end result is the same, except this vulnerability is triggered by Group Policy updates. Group Policy caches its policies locally for performance reasons, but some of the steps are not performed in the contact of the user but of NT Authority\System. By placing a directory junction, luring this account to a file location of choice, and then aborting the process when the DACL is written to the location, an attacker can gain Full Control permission on the file location specified.

AFFECTED OPERATING SYSTEMS

All Windows versions and Windows Server versions are affected. Both Full installations and Server Core installations of Windows Server are affected.

MITIGATIONS

Microsoft has not identified any mitigating factors for this vulnerability.

WORKAROUNDS

Microsoft has not identified any workarounds for this vulnerability.

About the Security Update

The Elevation of Privilege vulnerability is addressed in the October 2020 updates:

  • KB4580328 for Windows 10 version 1709
  • KB4577668 for Windows 10 version 1803, version 1809 and Windows Server 2019
  • KB4577671 for Windows 10 version 1903 and version 1909 and Windows Server version 1903 and version 1909
  • KB4579311 for Windows 10 version 2004 and Windows Server version 2004
  • KB4580387 for Windows 7 with Service Pack 1
  • KB4580358 for Windows 8.1 and Windows Server 2012 R2
  • KB4580385 for Windows Server 2008
  • KB4580387 for Windows Server 2008 R2
  • KB4580353 for Windows Server 2012
  • KB4580346 for Windows Server 2016

The security update addresses the vulnerability by correcting how Group Policy checks access.

Call to Action

Noticeably, Microsoft has issued updates for Operating Systems (OSs) that are out of support per January 14th, 2020. This indicates that this update is deemed important enough to roll out in all Active Directory-oriented networking environments.

I urge you to install the necessary security updates on Windows and Windows Server installations in a test environment as soon as possible, assess the risk and possible impact on your production environment. Then, roll out this update to Windows and Windows Server installations in the production environment.

further reading

CVE-2020-16939: Group Policy DACL Overwrite Privilege Escalation 
CVE-2020-16939 | Group Policy Elevation of Privilege Vulnerability

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.