Threat Research

FortiGuard Labs Discovers Privilege Escalation Vulnerability in Windows 10 Platform

By Kushal Arvind Shah | June 11, 2020

 

FortiGuard Labs Threat Research Report

Affected platforms:     Windows 10 & Windows Server 2019
Impacted parties:        Windows 10 version 1809 + and Windows Server version 1903 +
Impact:                        Privilege Escalation & User-Privacy Settings Violation
Severity level:              Important

This past January, I discovered and reported two Privilege Escalation Vulnerabilities related to User Privacy in the Microsoft Windows 10 platform. This Patch Tuesday (dated June 09, 2020), Microsoft released a security patch for one of these vulnerabilities. This vulnerability is identified as CVE-2020-1296. The root cause for this vulnerability is the lack of Privacy Settings Segregation and the incorrect handling of Windows Diagnostic Data feedback in memory across all users on the Windows 10 platform. Due to the important rating of this vulnerability, and its implications with regards to user privacy, we suggest users should apply these Microsoft patches as soon as possible. 

Initial Discovery of the Privilege Escalation Vulnerability in the Windows 10 Platform (CVE-2020-1296)

At the start of 2020, Microsoft Windows 7 reached end of support and due to this, many users made the jump to Windows 10 as did I. As a security researcher, I maintain a keen interest in User and Data Privacy, so I tried to keep an eye out for such features and settings. 

The first thing that caught my eye was the Privacy Settings options offered during initial installation, as seen below in Figure 1.

Figure 1: Privacy Settings during Initial Installation

We can see the “Diagnostic Data” privacy option (Basic Or Full) presented to the Administrator User.

I decided to try to add a secondary “Standard” User to the system. As seen below in Figure 2, the Diagnostic Data privacy option was not available to the new user.

Figure 2: Standard User with Diagnostic Data Privacy Option "Unavailable"

That meant that All Users on the system were required to abide by the Diagnostic Data settings chosen/opted-for by the Administrator.

The Microsoft Windows 10 Privacy Policy Statement,” under the section “What data is collected and why,” explains that “data is transmitted to Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device.” Microsoft then states that this Diagnostic Data setting is used to separately collect information for individual users on an individual device. But if that was the case, I believe it would be fair to expect Individual Privacy Policy settings for each individual user on each individual device.

Nevertheless, I then tried to see if this “Same Diagnostic Data Privacy Setting for all Users” could be bypassed or exploited in any way. The following section describes my approach for the same, which led to the discovery of the two vulnerabilities reported to Microsoft.

Vulnerability Scenarios & Related Details for CVE-2020-1296

As explained in the previous section, I noticed that all Users on the system have the same Diagnostic Data setting as the one selected/opted-for by the Initial User (Administrator).

Although there are several Diagnostic Data Levels (Basic, Full, Security, Enhanced), since only two of them are presented to the average user (i.e. Basic or Full), I focused on testing just these two. There are two scenarios here: changing the Privacy Settings from Basic to Full and from Full to Basic. These Privacy Settings can be seen below, in Figure 3:

Figure 3: Diagnostic Data Settings => Basic or Full

First Vulnerability Scenario “Basic” to “Full” Privilege Escalation

Steps to Reproduce:

  1. During initial installation, the Administrator User selects the “Full” Setting, and thereafter also adds another Standard User to the device. 
  2. The Standard User logs into the system and keeps the Diagnostic Data settings window open. 
  3. The Administrator User then changes the Diagnostic Data setting to “Basic” level. 
  4. The Standard User then changes the Diagnostic Data setting to “Full” level.
  5. The change by the Standard User to the “Full” level is then reflected for the Administrator User also.

Explanation:

This is due to a Race Condition where the “Full” to “Basic” privacy change by the Administrator User is not reflected for the Standard User, thereby allowing the Standard User to make the un-authorized change in the Diagnostic Data privacy settings for all users (including the Administrator).

Impact:

This unauthorized change in the Diagnostic Data Privacy Settings by the Standard User for all users on the device (including the Administrator) reduces the privacy of all users on the system.

Second Vulnerability Scenario “Full” to “Basic” Privilege Escalation

Steps to Reproduce:

  1. During initial installation, the Administrator User selects the “Full” Setting, and then adds another Standard User to the device. 
  2. The Standard User logs into the system and changes the Diagnostic Data setting to “Basic”.
  3. The change by the Standard User to “Basic” is also reflected for the Administrator User.

Explanation:

This is due to the lack of Privacy Setting segregation among all users on the device. This allows any user to make the change in the privacy settings for all Users (including the Administrator).

Impact:

Though this unauthorized change does enhance the privacy of all users on the device, there is a cost to that. Setting the Diagnostic Data Setting to “Basic” reduces the ability of Microsoft Security offerings, like Microsoft Edge and Windows Defender SmartScreen. The “Full” settings allow Microsoft to obtain Pseudonymized Browsing History data about potentially abusive or malicious domains to make updates to Microsoft Edge and Windows Defender SmartScreen to warn users about such harmful websites. 

Also it can be categorized as a “Security Bypass” vulnerability as it denies new security/feature updates to Windows Insider Users. Windows Insider Channel Users are required to have the Diagnostic Data setting set to “Full” to receive any new security/feature updates, and any unauthorized change to this setting denies further Insider Channel updates on that system. 

Both vulnerability scenarios are explained in the following Video Walk-through:

Overall Impact of CVE-2020-1296

The overall impact of this issue is that it affects the Privacy Settings of all users on the system. Unauthorized changes to privacy settings due to the Privilege Escalation Vulnerabilities might give a false sense of security to users, and it could also deny new security or feature updates to the device. The “Basic-to-Full” Privilege Escalation Vulnerability would effectively reduce the privacy of all users on the system, and the “Full-to-Basic” Privilege Escalation Vulnerability could deny active protection provided by some Microsoft products, such as Windows Defender SmartScreen, and it would also deny any further feature/security updates for Windows Insider users. 

Remediation & Recommendations

Users should immediately update their systems and apply the security patches from Microsoft. 

In addition, users can routinely monitor their devices for unauthorized changes to their privacy settings using an Endpoint Detection and Response (EDR) security solution like FortiEDR.

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolioSign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert programNetwork Security Academy program, and FortiVet program.