CVE-2020-1113 Overview
A security feature bypass vulnerability exists in Microsoft Windows when the Task Scheduler service fails to properly verify client connections over RPC. This flaw, identified as CWE-295 (Improper Certificate Validation), allows attackers to bypass security features designed to protect the Task Scheduler service, potentially enabling unauthorized actions on affected systems.
Critical Impact
Attackers with network access can exploit improper RPC client connection verification in the Windows Task Scheduler service to bypass security features, potentially achieving high impact on confidentiality, integrity, and availability of affected systems.
Affected Products
- Microsoft Windows 10 (multiple versions including 1607, 1709, 1803, 1809, 1903, 1909)
- Microsoft Windows 7 SP1
- Microsoft Windows 8.1
- Microsoft Windows RT 8.1
- Microsoft Windows Server 2008 SP2
- Microsoft Windows Server 2012 and 2012 R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019 (including versions 1903 and 1909)
Discovery Timeline
- 2020-05-21 - CVE-2020-1113 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-1113
Vulnerability Analysis
This vulnerability affects the Windows Task Scheduler service, a core Windows component responsible for automating tasks based on time-based or event-based triggers. The root issue lies in improper verification of client connections over RPC (Remote Procedure Call), which is the communication mechanism used by the Task Scheduler to receive and process requests.
When a client connects to the Task Scheduler service via RPC, the service should properly validate the connection and verify the client's identity and authorization level. However, due to inadequate certificate validation (CWE-295), the service fails to properly authenticate these connections, creating an opportunity for attackers to bypass security features that would normally restrict access to the Task Scheduler's functionality.
The network-based attack vector means that exploitation can occur remotely, though it requires low-level privileges and the attack complexity is considered high due to specific conditions that must be met for successful exploitation. Successful exploitation could allow an attacker to perform actions through the Task Scheduler service that would normally be restricted.
Root Cause
The vulnerability stems from improper certificate validation (CWE-295) in the Windows Task Scheduler service. Specifically, the service does not adequately verify client connections over RPC, failing to properly authenticate and authorize incoming requests. This improper validation allows attackers to bypass security controls that should prevent unauthorized access to Task Scheduler functionality.
Attack Vector
The attack is network-based and requires an authenticated attacker with low privileges on the target system. The exploitation scenario involves:
- An attacker establishes a network connection to the target Windows system
- The attacker initiates an RPC connection to the Task Scheduler service
- Due to improper certificate validation, the service fails to properly verify the client connection
- The attacker bypasses security features designed to restrict Task Scheduler operations
- With the security bypass achieved, the attacker can potentially execute unauthorized scheduled tasks or manipulate existing ones
The vulnerability exists in the RPC communication layer of the Task Scheduler service. When processing incoming client connections, the service should validate certificates and client credentials before allowing operations. The flaw allows attackers to circumvent these validation checks, effectively bypassing the security boundary that protects the Task Scheduler service.
For technical implementation details, refer to the Microsoft Security Advisory CVE-2020-1113.
Detection Methods for CVE-2020-1113
Indicators of Compromise
- Unusual RPC connections to the Task Scheduler service (svchost.exe hosting Schedule service) from unexpected network sources
- Anomalous scheduled task creation or modification events in Windows Event Log (Event IDs 106, 140, 141, 4698, 4699, 4700, 4701, 4702)
- Unexpected processes spawned by taskeng.exe or schtasks.exe
- Network traffic anomalies on RPC dynamic ports (49152-65535) or static RPC endpoint mapper port 135
Detection Strategies
- Monitor Windows Security Event Logs for Task Scheduler-related events, particularly task creation (Event ID 4698), task deletion (Event ID 4699), and task modification events
- Implement network monitoring to detect abnormal RPC traffic patterns targeting the Task Scheduler service
- Deploy behavioral analysis to identify suspicious scheduled task activities that deviate from baseline operations
- Use SentinelOne's Storyline technology to correlate Task Scheduler activities with other suspicious behaviors for comprehensive threat detection
Monitoring Recommendations
- Enable advanced auditing for the Windows Task Scheduler service by configuring "Audit Other Object Access Events" in Group Policy
- Implement SIEM rules to alert on unusual scheduled task creation from non-administrative accounts or remote sources
- Monitor for suspicious child processes spawned from Task Scheduler-related executables
- Establish baseline metrics for normal Task Scheduler RPC connection patterns to identify anomalies
How to Mitigate CVE-2020-1113
Immediate Actions Required
- Apply the security update from Microsoft immediately to all affected Windows systems
- Prioritize patching domain controllers and critical infrastructure servers running affected Windows versions
- Implement network segmentation to limit RPC access to the Task Scheduler service from untrusted network segments
- Review and audit existing scheduled tasks for any unauthorized or suspicious entries
Patch Information
Microsoft has released security updates to address this vulnerability. The patches are available through Windows Update, Microsoft Update Catalog, and WSUS. Organizations should obtain the appropriate update for their specific Windows version from the Microsoft Security Advisory CVE-2020-1113.
The security update corrects how the Task Scheduler service validates client connections over RPC, ensuring proper certificate validation is performed before allowing operations.
Workarounds
- Restrict network access to RPC endpoints by configuring Windows Firewall to block inbound RPC traffic from untrusted networks
- Limit Task Scheduler service access through Group Policy by restricting which users can create or modify scheduled tasks
- Consider disabling remote Task Scheduler management if not required for business operations
- Implement network-level authentication (NLA) requirements for remote connections to affected systems
# Block inbound RPC traffic from untrusted networks using Windows Firewall
netsh advfirewall firewall add rule name="Block RPC Inbound" dir=in action=block protocol=tcp localport=135,49152-65535 remoteip=any
# Audit current scheduled tasks for review
schtasks /query /fo LIST /v > scheduled_tasks_audit.txt
# Review Task Scheduler event logs for suspicious activity
wevtutil qe Microsoft-Windows-TaskScheduler/Operational /f:text /c:100
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
