A vulnerability was found in Microsoft Windows (Operating System). It has been classified as critical. This affects the function CfgAdtpFormatPropertyBlock of the file cng.sys of the component Kernel Cryptography Driver. The manipulation with an unknown input leads to a buffer overflow vulnerability. CWE is classifying the issue as CWE-120. The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. This is going to have an impact on confidentiality, integrity, and availability.

The weakness was released 10/31/2020 by Mateusz Jurczyk and Sergei Glazunov with Google Project Zero (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17087). The advisory is shared at bugs.chromium.org. This vulnerability is uniquely identified as CVE-2020-17087. The exploitability is told to be easy. Technical details and a private exploit are known. The price for an exploit might be around USD $25k-$100k at the moment (estimation calculated on 04/20/2024).

It is declared as highly functional. The CISA Known Exploited Vulnerabilities Catalog lists this issue since 11/03/2021 with a due date of 05/03/2022:

Apply updates per vendor instructions.

Applying a patch is able to eliminate this problem.

Further details are available at twitter.com.

Productinfo

Type

• Operating System

Vendor

• Microsoft

Name

• Windows

Version

• 7 SP1
• 8.1
• 10
• 10 20H2
• 10 1607
• 10 1803
• 10 1809
• 10 1903
• 10 1909
• 10 2004
• RT 8.1
• Server 20H2
• Server 1903
• Server 1909
• Server 2004
• Server 2008 R2
• Server 2008 SP2
• Server 2012 R2
• Server 2016
• Server 2019

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion