CVE-2015-0010 in Windows
Summary
by MITRE
The CryptProtectMemory function in cng.sys (aka the Cryptography Next Generation driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, when the CRYPTPROTECTMEMORY_SAME_LOGON option is used, does not check an impersonation token's level, which allows local users to bypass intended decryption restrictions by leveraging a service that (1) has a named-pipe planting vulnerability or (2) uses world-readable shared memory for encrypted data, aka "CNG Security Feature Bypass Vulnerability" or MSRC ID 20707.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/13/2025
The CVE-2015-0010 vulnerability represents a critical security flaw in Microsoft's Cryptography Next Generation (CNG) kernel-mode driver component that affects multiple Windows operating systems including server and client versions from Windows vista through Windows 8.1. This vulnerability specifically targets the CryptProtectMemory function within cng.sys driver, which is responsible for memory encryption operations. The flaw stems from improper validation of impersonation tokens when the CRYPTPROTECTMEMORY_SAME_LOGON option is employed, creating a path for privilege escalation and bypass of intended security restrictions. The vulnerability is particularly concerning because it operates at the kernel level, allowing local attackers to exploit it without requiring elevated privileges initially, and can be leveraged to decrypt sensitive information that should remain protected.
The technical root cause of this vulnerability lies in the failure of the CryptProtectMemory function to properly validate impersonation token levels when processing memory encryption operations. When the CRYPTPROTECTMEMORY_SAME_LOGON flag is used, the system should verify that the calling process has appropriate authorization levels to access the encrypted data, but this validation is bypassed. The vulnerability can be exploited through two primary vectors: named-pipe planting vulnerabilities in services that allow attackers to inject malicious code into legitimate processes, or by leveraging world-readable shared memory segments where encrypted data is stored and accessible to unauthorized users. This weakness creates a scenario where local users can effectively bypass the intended access controls and decrypt information that should only be accessible to users with specific logon rights.
The operational impact of CVE-2015-0010 is substantial as it enables local privilege escalation and information disclosure attacks across a wide range of Windows systems. Attackers can exploit this vulnerability to gain access to encrypted memory segments that contain sensitive information such as passwords, encryption keys, or other confidential data that should be protected by the CNG security model. The vulnerability affects systems running Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, representing a significant portion of the Microsoft Windows ecosystem. The attack surface is broad due to the widespread use of these operating systems in enterprise environments, making this vulnerability particularly dangerous for organizations that may not have immediate patching capabilities or may be running legacy systems.
This vulnerability aligns with CWE-284 Access Control Issues, specifically related to improper access control validation in kernel-mode components, and maps to ATT&CK technique T1068 Privilege Escalation through exploitation of kernel-mode vulnerabilities. The security implications extend beyond simple information disclosure to include potential credential theft and privilege escalation opportunities that could lead to full system compromise. Organizations should implement immediate mitigations including applying Microsoft security patches, reviewing service configurations to eliminate named-pipe planting vulnerabilities, and implementing proper access controls for shared memory segments. Additionally, monitoring for suspicious processes accessing encrypted memory segments and implementing network segmentation can help reduce the risk of exploitation. The vulnerability demonstrates the critical importance of proper token validation in kernel-mode drivers and highlights the need for comprehensive security testing of system-level components that handle sensitive cryptographic operations.